SANS ISC: Finding VBA signatures in Word documents

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

One of my former students contacted me after reading my last diary entry "An autograph from the Dridex gang" with a question: how to detect Word documents with signed VBA code?

I did some research: official Microsoft documentation can be found in the document "Visual Basic for Applications Digital Signature".

The presence of UNICODE strings SigAgile and Sign start the digital signature in binary Word documents:

More details can be found here: "The content field of the contentInfo of this SignedData structure MUST be a SpcIndirectDataContent structure".

The Object Identifier (OID) for structure SpcIndirectDataContent is "1.3.6.1.4.1.311.2.1.4".

That is "06 0A 2B 06 01 04 01 82 37 02 01 04" in binary.

Creating a YARA rule with these strings is simple.

rule WORD_VBA_SIGNATURE {
    strings:
        $sigagile = {08 00 53 00 69 00 67 00 41 00 67 00 69 00 6C 00 65 00 00 00}
        $sign = {04 00 53 00 69 00 67 00 6E 00 00 00}
        $oid = {06 0A 2B 06 01 04 01 82 37 02 01 04}
    condition:
        ($sigagile or $sign) and $oid
}

Remark: this rule will not check if the scanned file is a OLE file. To restrict the detection to OLE files, prefix the condition with "uint32be(0) == 0xD0CF11E0 and ".

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com