Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

https://github.com/InQuest/yara-rules/blob/master/Excel_Hidden_Macro_Sheet.rule detects too many non-excel files #4

Open
MsdnUsrSince1994 opened this issue Aug 16, 2024 · 0 comments

Comments

@MsdnUsrSince1994
Copy link

The rule in Excel_Hidden_Macro_Sheet.rule is overly broad and detects lots of other files that happen to be in the Microsoft COM Structured Storage container format and happen to contain the short patterns searched for. In particular, The VirusTotal.com copy of the rule often triggers on Microsoft Windows Installer (MSI) packages, which are all based on COM Structured Storage and are often large files, thereby increasing the risk of a false match on 4 byte patterns.

A better rule should start by looking for actual markers of Excel format files, then actual markers of the inner file containing macros, then search that inner file for relevant patterns. Many Anti-malware software libraries already contain generic code for looking inside "COM structured storage" containers to detect Office 9x macros, hopefully the Yara framework includes functions to do the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant