office_document_vba update

jipegit · Dec 17, 2014 · 7c92283 · 7c92283
1 parent abf2bc9
commit 7c92283
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/Document/office_document_vba.yar b/Document/office_document_vba.yar
@@ -1,18 +1,22 @@
 rule office_document_vba
 {
 	meta:
-		description = "MS document (.doc/.xls/.ppt) with embedded VBA"
+		description = "Office document with embedded VBA"
 		author = "Jean-Philippe Teissier / @Jipe_"
 		date = "2013-12-17"
 		reference = "N/A"
 
 	strings:
-		$magic = { D0 CF 11 E0 A1 B1 1A E1 }
+		$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
+		$zipmagic = "PK"
 
-		$str1 = "_VBA_PROJECT" wide
-		$str2 = "VBAProject"
-		$str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
+		$97str1 = "_VBA_PROJECT_CUR" wide
+		$97str2 = "VBAProject"
+		$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
+
+		$xmlstr1 = "vbaProject.bin"
+		$xmlstr2 = "vbaData.xml"
 
 	condition:
-		$magic at 0 and any of ($str*)
+		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
 }