Last active
August 10, 2020 18:22
-
-
Save michaelweber/bd4093e742c0fbedb0fe2fc536ecdf52 to your computer and use it in GitHub Desktop.
ZLoader Anti-Sandbox Formula
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule msxls_zloader_anti_sandbox_biff_formula | |
{ | |
meta: | |
description = "Finding XLS2003 documents with a specific anti-sandbox expression" | |
Author = "Michael Weber (@BouncyHat)" | |
strings: | |
$ole_marker = {D0 CF 11 E0 A1 B1 1A E1} | |
$anti_sandbox_formula = { 06 00 [20-30] 42 00 AD 80 1E 13 00 41 BA 00 1E 0D 00 41 BA 00 1E 02 03 0D 1E 0E 00 41 BA 00 1E 86 01 0D 1E 1F 00 41 BA 00 1D 00 0B 1E 2A 00 41 BA 00 42 06 24 00 } | |
condition: | |
$ole_marker at 0 and $anti_sandbox_formula | |
} |
New ZLoader Sample slightly changes this - modifying the signature to cover both
Formula[DK4296]: IF(OR(AND(APP.MAXIMIZE(),GET.WORKSPACE(19),GET.WORKSPACE(13)>770,GET.WORKSPACE(14)>390,GET.WORKSPACE(31)=FALSE,GET.WORKSPACE(42)),FALSE), ,HALT())
00000000 C7 10 72 00 0F 00 01 00 00 00 00 00 FF FF 20 00 Ç·r·········ÿÿ ·
00000010 C5 10 72 FF 4C 00 42 00 AD 80 1E 13 00 41 BA 00 Å·rÿL·B·-?···Aº·
00000020 1E 0D 00 41 BA 00 1E 02 03 0D 1E 0E 00 41 BA 00 ···Aº········Aº·
00000030 1E 86 01 0D 1E 1F 00 41 BA 00 1D 00 0B 1E 2A 00 ·?·····Aº·····*·
00000040 41 BA 00 42 06 24 00 1D 00 42 02 25 00 19 02 05 Aº·B·$···B·%····
00000050 00 16 19 08 0B 00 42 00 36 00 19 08 03 00 42 03 ······B·6·····B·
00000060 01 00 ··
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Based off of this formula dump entry from 6fc69f553c079f20ec20e3e95eb342658dbeef6349acbe50578c550deb3d16b6: