The hunt hypothesis is looking for macros that use a specific encoding pattern linked to the sample 30f149479c02b741e897cdb9ecd22da7, which may indicate the presence of malicious code. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity that could evade standard detection methods.
YARA Rule
rule FE_LEGALSTRIKE_MACRO {
meta:version=".1"
filetype="MACRO"
author="Ian.Ahl@fireeye.com @TekDefense"
date="2017-06-02"
description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
strings:
// OBSFUCATION
$ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
$ob2 = "ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(115) & ChrW(32) & ChrW(47) & ChrW(110) & ChrW(32) & ChrW(47)" ascii wide
$ob3 = "ChrW(117) & ChrW(32) & ChrW(47) & ChrW(105) & ChrW(58) & ChrW(104) & ChrW(116) & ChrW(116) & ChrW(112) & ChrW(115)" ascii wide
$ob4 = "ChrW(58) & ChrW(47) & ChrW(47) & ChrW(108) & ChrW(121) & ChrW(110) & ChrW(99) & ChrW(100) & ChrW(105) & ChrW(115)" ascii wide
$ob5 = "ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(46) & ChrW(50) & ChrW(98) & ChrW(117) & ChrW(110)" ascii wide
$ob6 = "ChrW(110) & ChrW(121) & ChrW(46) & ChrW(99) & ChrW(111) & ChrW(109) & ChrW(47) & ChrW(65) & ChrW(117) & ChrW(116)" ascii wide
$ob7 = "ChrW(111) & ChrW(100) & ChrW(105) & ChrW(115) & ChrW(99) & ChrW(111) & ChrW(118) & ChrW(101) & ChrW(114) & ChrW(32)" ascii wide
$ob8 = "ChrW(115) & ChrW(99) & ChrW(114) & ChrW(111) & ChrW(98) & ChrW(106) & ChrW(46) & ChrW(100) & ChrW(108) & ChrW(108)" ascii wide
$obreg1 = /(\w{5}\s&\s){7}\w{5}/
$obreg2 = /(Chrw\(\d{1,3}\)\s&\s){7}/
// wscript
$wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
$wsobj2 = "Obj.Run " ascii wide
condition:
(
(
(uint16(0) != 0x5A4D)
)
and
(
all of ($wsobj*) and 3 of ($ob*)
or
all of ($wsobj*) and all of ($obreg*)
)
)
}This YARA rule can be deployed in the following contexts:
This rule contains 12 string patterns in its detection logic.
Scenario: Legitimate macro used in Microsoft Word templates
Description: A Word document template (e.g., .dotx file) contains a macro used for automating repetitive formatting tasks.
Filter/Exclusion: file.name contains "template" OR file.type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document.template"
Scenario: Scheduled backup job using PowerShell with encoded commands
Description: A scheduled PowerShell script (e.g., via Task Scheduler) is used to back up user data and uses encoded commands for obfuscation.
Filter/Exclusion: process.name == "schtasks.exe" OR process.parent.name == "services.exe"
Scenario: Admin task using encoded macros for report generation
Description: A system administrator uses a macro-enabled Excel file (.xlsm) to generate weekly reports, and the macro is encoded for security reasons.
Filter/Exclusion: process.name == "excel.exe" AND process.parent.name == "explorer.exe" AND file.name contains "report_generator"
Scenario: Encoded macro in a legitimate software installer
Description: A software installer (e.g., from a trusted vendor) includes a macro for post-installation configuration, which is encoded for security.
Filter/Exclusion: file.name contains "installer" OR file.sha1 == "trusted_installer_hash"
Scenario: Macro used in a legitimate third-party tool for automation
Description: A third-party automation tool (e.g., AutoHotkey or similar) uses macros with encoded commands for user interface automation.
Filter/Exclusion: process.name contains "AutoHotkey" OR process.name contains "ahk"