OLE: Not to beat a dead horse...

Since I keep seeing new malicious OLEs, I wanted to do a few posts about writing yara signatures for them. I don't have the time right now for a full post, but I'll share a few preliminary links that I'll be referencing for metadata extraction.

[MS-OLEPS]: SummaryInformation
https://msdn.microsoft.com/en-us/library/dd942545.aspx

[MS-OLEPS]: FILETIME (Packet Version)
https://msdn.microsoft.com/en-us/library/dd942482.aspx

[MS-DTYP]: FILETIME
https://msdn.microsoft.com/en-us/library/cc230324.aspx

Comments

Popular posts from this blog

Yara and Rich Headers are full of win

"WannaCry Is North Korea!" or "Rich Headers Win Again!"

"It's Not All Black And White" or "Why You Should Switch From Blacklisting To Whitelisting"