Common Information
| Type | Value |
|---|---|
| Value |
rule info_1805_14335 {
meta:
description = "info_1805.xls"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-09-12"
hash1 = "e598b9700e13f2cb1c30c6d9230152ed5716a6d6e25db702576fefeb6638005e"
strings:
$s1 = "32.exe" ascii fullword
$s2 = "System32\\X" ascii fullword
$s3 = "DocumentOwnerPassword" wide fullword
$s4 = "DocumentUserPassword" wide fullword
$s5 = "t\"&\"t\"&\"p\"&\"s:\"&\"//lo\"&\"pe\"&\"sp\"&\"ub\"&\"li\"&\"ci\"&\"da\"&\"de.c\"&\"o\"&\"m/cgi-bin/e\"&\"5R\"&\"5o\"&\"G4\"&\""
$s6 = "UniresDLL" ascii fullword
$s7 = "OEOGAJPGJPAG" ascii fullword
$s8 = "\\Windows\\" ascii fullword
$s9 = "_-* #,##0.00_-;\\-* #,##0.00_-;_-* \"-\"??_-; [email protected] _-" ascii fullword
$s10 = "_-* #,##0_-;\\-* #,##0_-;_-* \"-\"_-; [email protected] _-" ascii fullword
$s11 = "_-;_-* \"" ascii fullword
$s12 = "^{)P -z)" ascii fullword
$s13 = "ResOption1" ascii fullword
$s14 = "DocumentSummaryInformation" wide fullword
$s15 = "Root Entry" wide fullword
$s16 = "SummaryInformation" wide fullword
$s17 = "A\",\"JJCCBB\"" ascii fullword
$s18 = "Excel 4.0" ascii fullword
$s19 = "Microsoft Print to PDF" wide fullword
$s20 = "\"_-;\\-* #,##0.00\\ \"" wide fullword
condition:
uint16(0) == 0xcfd0 and filesize < 200KB and all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |