One of my former students contacted me after reading my last diary entry "An autograph from the Dridex gang" with a question: how to detect Word documents with signed VBA code?
I did some research: official Microsoft documentation can be found in the document "Visual Basic for Applications Digital Signature".
The presence of UNICODE strings SigAgile and Sign start the digital signature in binary Word documents:
More details can be found here: "The content field of the contentInfo of this SignedData structure MUST be a SpcIndirectDataContent structure".
The Object Identifier (OID) for structure SpcIndirectDataContent is "18.104.22.168.4.1.322.214.171.124".
That is "06 0A 2B 06 01 04 01 82 37 02 01 04" in binary.
Creating a YARA rule with these strings is simple.
Remark: this rule will not check if the scanned file is a OLE file. To restrict the detection to OLE files, prefix the condition with "uint32be(0) == 0xD0CF11E0 and ".
Feb 11th 2018
5 months ago