Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Finding VBA signatures in Word documents - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Finding VBA signatures in Word documents

One of my former students contacted me after reading my last diary entry "An autograph from the Dridex gang" with a question: how to detect Word documents with signed VBA code?

I did some research: official Microsoft documentation can be found in the document "Visual Basic for Applications Digital Signature".

The presence of UNICODE strings SigAgile and Sign start the digital signature in binary Word documents:

More details can be found here: "The content field of the contentInfo of this SignedData structure MUST be a SpcIndirectDataContent structure".

The Object Identifier (OID) for structure SpcIndirectDataContent is "1.3.6.1.4.1.311.2.1.4".

That is "06 0A 2B 06 01 04 01 82 37 02 01 04" in binary.

Creating a YARA rule with these strings is simple.

rule WORD_VBA_SIGNATURE {
    strings:
        $sigagile = {08 00 53 00 69 00 67 00 41 00 67 00 69 00 6C 00 65 00 00 00}
        $sign = {04 00 53 00 69 00 67 00 6E 00 00 00}
        $oid = {06 0A 2B 06 01 04 01 82 37 02 01 04}
    condition:
        ($sigagile or $sign) and $oid
}

Remark: this rule will not check if the scanned file is a OLE file. To restrict the detection to OLE files, prefix the condition with "uint32be(0) == 0xD0CF11E0 and ".

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

208 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!