Attachment: Office Document with VSTO Add-in

calendar Aug 30, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect Office documents with VSTO Add-ins.

Sublime rule (View on GitHub)

 1name: "Attachment: Office Document with VSTO Add-in"
 2description: |
 3    Recursively scans files and archives to detect Office documents with VSTO Add-ins.
 4type: "rule"
 5references:
 6  - "https://medium.com/@airlockdigital/make-phishing-great-again-vsto-office-files-are-the-new-macro-nightmare-e09fcadef010"
 7severity: "high"
 8authors:
 9  - twitter: "vector_sec"
10source: |
11  type.inbound
12  and any(attachments,
13          (
14            .file_extension in~ $file_extensions_macros
15            or .file_extension in~ $file_extensions_common_archives
16          )
17          and any(file.explode(.),
18                  .file_extension in~ (
19                    "doc",
20                    "docm",
21                    "docx",
22                    "dot",
23                    "dotm",
24                    "xls",
25                    "xlsx",
26                    "xlsm",
27                    "xlm",
28                    "xlsb",
29                    "xlt",
30                    "xltm",
31                    "ppt",
32                    "pptx",
33                    "pptm",
34                    "ppsm"
35                  )
36                  and any(.scan.exiftool.fields,
37                          .key == "Tag_AssemblyLocation" and strings.ilike(.value, "*.vsto*")
38                          and not strings.ilike(.value, 'C:\Program Files*')
39                  )
40          )
41  )  
42attack_types:
43  - "Malware/Ransomware"
44tactics_and_techniques:
45  - "Scripting"
46detection_methods:
47  - "Archive analysis"
48  - "Content analysis"
49  - "Exif analysis"
50  - "File analysis"
51  - "Sender analysis"
52  - "URL analysis"
53id: "27afa730-6dd5-58ec-9deb-ed5170de210d"
to-top