Scans through a given directory glob for common office files. Then tries to extract any embedded macros by parsing the OLE file structure.
Office macros are a prominent initial infection vector. Many users click through the warning dialogs, thus leading to infection.
If a macro calls an external program (e.g. PowerShell) this is very suspicious!
name: Windows.Applications.OfficeMacros
description: |
Scans through a given directory glob for common office files. Then tries to
extract any embedded macros by parsing the OLE file structure.
Office macros are a prominent initial infection vector. Many users click
through the warning dialogs, thus leading to infection.
If a macro calls an external program (e.g. PowerShell) this is very
suspicious!
parameters:
- name: officeExtensions
default: "*.{xls,xlsm,doc,docx,ppt,pptm}"
- name: officeFileSearchGlob
default: C:\Users\**\
description: The directory to search for office documents.
sources:
- query: |
SELECT * FROM foreach(
row={
SELECT OSPath FROM glob(globs=officeFileSearchGlob + officeExtensions)
},
query={
SELECT * from olevba(file=OSPath)
})