YARAhub
You are currently viewing the YARAhub entry of the YARA rule MALWARE_Storm0978_HTML_PROTHANDLER_Jul23. Depending on the TLP classification of this YARA rule chosen by the author, further information about this YARA rule is available below.
YARA Rule Details: MALWARE_Storm0978_HTML_PROTHANDLER_Jul23
| Rule name: | MALWARE_Storm0978_HTML_PROTHANDLER_Jul23 |
|---|---|
| Author: | SECUINFRA Falcon Team (@SI_FalconTeam) - @SI_FalconTeam |
| Description: | Detects Office HTML injection through docfiles with Windows Protocol Handler execution |
| Reference MD5: | 26a6a0c852677a193994e4a3ccc8c2eb |
| Likes: | 0 |
| Reference Link : | n/a |
| Malpedia Family : | n/a |
| Date added: | 2023-07-11 |
| Rule Matching TLP : | TLP:WHITE |
| Rule Sharing TLP : | TLP:WHITE |
| License : | https://creativecommons.org/licenses/by/4.0/ |
| UUID: | 85dbba47-f82d-478f-b941-88ac44f62a2b |
| Static hits: | 0 |
| Unpacker hits: | 0 |
YARA Rule Content
The content of the YARA rule is shown below.
rule MALWARE_Storm0978_HTML_PROTHANDLER_Jul23
{
meta:
author = "SECUINFRA Falcon Team (@SI_FalconTeam)"
description = "Detects Office HTML injection through docfiles with Windows Protocol Handler execution"
reference = "https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit"
date = "2023-07-11"
tlp = "CLEAR"
hash = "07377209fe68a98e9bca310d9749daa4eb79558e9fc419cf0b02a9e37679038d"
yarahub_uuid = "85dbba47-f82d-478f-b941-88ac44f62a2b"
yarahub_reference_md5 = "26a6a0c852677a193994e4a3ccc8c2eb"
yarahub_license = "CC BY 4.0"
yarahub_rule_matching_tlp = "TLP:WHITE"
yarahub_rule_sharing_tlp = "TLP:WHITE"
yarahub_author_twitter = "@SI_FalconTeam"
strings:
$doc_magic = {D0 CF 11 E0 A1 B1 1A E1}
$s_htmlTag = "<html>" nocase ascii wide
$s_location = "location.href" nocase ascii wide
$s_iframe = "document.write('<iframe" nocase ascii wide
$s_mhtml = "src=\"mhtml:ms-" nocase ascii wide
$s_temp = "/appdata/local/temp" nocase ascii wide
$s_script = "<script defer>" nocase ascii wide
// Some of the most popular ones;
// Source: https://github.com/splunk/security_content/blob/develop/lookups/windows_protocol_handlers.csv
$prothandler_msdt = "ms-msdt" ascii wide
$prothandler_search = "search-ms" ascii wide
$prothandler_msits = "ms-its" ascii wide
$prothandler_word = "ms-word" ascii wide
$prothandler_excel = "ms-excel" ascii wide
$prothandler_powerp = "ms-powerpoint" ascii wide
condition:
$doc_magic at 0x0
and $doc_magic
and 4 of ($s_*)
and 1 of ($prothandler_*)
}
YARA Rule Matches
The following table shows the most recent files matching this particular YARA rule.
| First seen (UTC) | SHA256 hash | Static matches | Unpacker matches |
|---|