Visual Basic Obfuscation via Line Continuation
Be careful while writing YARA signatures for Microsoft Office Macros. A simple technique used to bypass detection of “sub document_open()” for instance is to break it up with the VBA line continuation character “_” (underscore).We’ve seen this break a few office malware signatures… so you may wish to check your vendor.
If your vendor is only looking for "document_open" or the equivalent VBA of auto-open then you will be ok. However, if vendor is looking for the surrounding parentheses or preceding "sub" then you may want to double check.
Below are three examples:
**split among 3 lines
|
 |
| **split among several lines |
 |
| **VirtualProtect (commonly used when executing shellcode) being imported from Kernel32 split among several lines |
# Yara Rule
rule VBALineContinuationObfuscation
{
meta:
Author = "@acalarch, @neu5ron"
Description = "Identifies potential VBA Obfuscation via empty line continuation, must provide yara an uncompressed vba project”
strings:
$a = {20 5F 0D 0A 20 5F 0D 0A}
condition:
$a
}
Contributions:
Adam Swan / @acalarch
Nate Guagenti / @neu5ron
Contributions:
Adam Swan / @acalarch
Nate Guagenti / @neu5ron
No comments:
Post a Comment