![]() If you don’t know YARA, have a look at this powerful tool. Office_macro /mnt/share/tmp/TaskManager.xlsĪnd you can use the power of the find command to restrict your search to only specific files. Office_macro /mnt/share/xavier/tmp/Invoice.doc # find /mnt/share -type f -size -1M -exec yara /tmp/le \ # smbmount //nas.lan/users /mnt/share -o username=user,password=pass,ro Let’s wirte a simple YARA rule: rule office_macroĭescription = "M$ Office document containing a macro"įinally, let’s mount our NAS share (NFS, CFS, AFS, …) and use the standard UNIX tool “ find” to search for juicy files: # mkdir /mnt/share ![]() This tool does exactly the job we expect by searching for patterns into a file but it runs only on Windows! Being a UNIX guy, why not use YARA with a custom signature to achieve this? As Didier said, an Office document containing a macro can be detected by searching the following patterns: By default, the module uses a built-in Office document (docx) as the template. Height Then ' horizontal.Height InchesToPoints (3.3) Else ' vertical. For Each pic In ActiveDocument.InlineShapes. It does not target a specific CVE or vulnerability, instead it's more of a feature-abuse in Office, and yet it's still a popular type of social-engineering attack such as in ransomware. If you know that all the pictures are in-line, then something like this will resize them: Sub ResizePhotos () Dim pic As InlineShape. Youll have to wait till new holsters come out for it. That being said the macro is completly different because of the 1913 rail. libmspack.spec 0001-doc-Don-t-document-internal-endian-macros.patch libmtp-1.1.14.tar.gz. Holsters for the Macro are different than the standard 365 platform. ![]() Didier responded on Twitter with another tool he also developed: filescanner.exe. This module generates a macro-enabled Microsoft Office Word document (docm). Makefile docbook-style-xsl.spec docbook-xsl-doc-1.79.2.tar.bz2. oledump.py /tmp/Suspicious/Invoice.docīut this requires to grep for the “ M” in the output and adds some complexity. Without any command line option, this nice tool lists the streams contained in a document and macros are flagged with a “ M” like in the example below. My first idea was to use the oledump tool developed by Didier Stevens. This is a good idea to search for such documents as VBA macros are known to be a good infection vector and come back regularly in the news like the Rocket Kitten campaign. Range. ![]() A quick blog post which popped up in my mind after a friend posted a question on Twitter this afternoon: “ How to search for Office documents containing macros on a NAS?“. If you were to store the images in the same folder as the document with the macro, you could use code like the following, which assumes the image names are Plan2go Large Graphic.jpg and Plan2Go Logo.jpg, respectively. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |