Show in Graph
Common Information
Type Value
Value 
rule macro_sheet_obfuscated_char {
	meta:
		description = "Finding hidden/very-hidden macros with many CHAR functions"
		Author = "DissectMalware"
		Sample = "0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)"
	strings:
		$ole_marker = { D0 CF 11 E0 A1 B1 1A E1 }
		$macro_sheet_h1 = { 85 00 ?? ?? ?? ?? ?? ?? 01 01 }
		$macro_sheet_h2 = { 85 00 ?? ?? ?? ?? ?? ?? 02 01 }
		$char_func = { 06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D 00 41 6F 00 }
	condition:
		$ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func > 10
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2020-06-19 65 Further Evasion in the Forgotten Corners of MS-XLS