Added MACROCHECK rule

Added MACROCHECK rule

Added MACROCHECK rule
d409cba1 · Yara Rules · 6ebf596c · d409cba1
Commit d409cba1 authored May 06, 2015 by Yara Rules
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 0 deletions

malicious_document.yar malicious_document.yar +22 -0

No files found.
--- a/malicious_document.yar
+++ b/malicious_document.yar
@@ -171,3 +171,25 @@ rule mwi_document : exploitdoc
    condition:
        all of them
 }
+rule macrocheck
+{
+    meta:
+        Author      = "Fireeye Labs"
+        Date        = "2014/11/30" 
+        Description = "Identify office documents with the MACROCHECK credential stealer in them.  It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
+        Reference   = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
+
+    strings:
+        $PARAMpword = "pword=" ascii wide
+        $PARAMmsg = "msg=" ascii wide
+        $PARAMuname = "uname=" ascii
+        $userform = "UserForm" ascii wide
+        $userloginform = "UserLoginForm" ascii wide
+        $invalid = "Invalid username or password" ascii wide
+        $up1 = "uploadPOST" ascii wide
+        $up2 = "postUpload" ascii wide
+    condition:
+        all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
+}