Malicious documents that drop VBE scripts (VBScript Encode scripts) are in the wild. Here is an example:
I have a YARA rule to detect VBE scripts:
yara-rules-V0.0.6.zip (https)
MD5: 01CB37759AC30EEA8D2B66226609C73E
SHA256: 1B56C1D7D0E1A8F500674B74F93F3E7DE6B2EFC85259ABE3A57F1DCA458CCFF8
Didier Stevens 
Hi Didier, thanks for your whole work.
I have a sample that has VBE scripts in UserForm like you mention above. I used contains_vbe_file.yara but i have encountered an error “AttributeError: ‘str’ object has no attribute ‘rule'”. Do you have any idea about this error?
Best regards…
Comment by Melik — Wednesday 23 March 2016 @ 9:30
@Melik. No idea. Can you provide more details? What command did you issue and can you report the full error message?
Comment by Didier Stevens — Wednesday 23 March 2016 @ 14:50
Hi Didier,
Just one reminder.
maldoc.yara is the version 0.0.1 in this package.
But there is 0.0.2
Comment by Anonymous — Friday 25 March 2016 @ 16:14
[…] Didier Stevens has released a new YARA rule to use with oledump to detect malicious VBE (VBScript Encode scripts) scripts. The example shows a malicious VBE script detected within a ZIP file. YARA Rule To Detect VBE Scripts […]
Pingback by Week 12 – Thisweekin4n6 — Saturday 26 March 2016 @ 9:19
Fixed with version 0.0.7. But don’t worry, it’s only comments.
Comment by Didier Stevens — Monday 28 March 2016 @ 18:30
Do you happen to have an MD5 hash for the sample to test against this rule?
Comment by JR — Wednesday 30 March 2016 @ 17:54
@Melik or Didier do you happen to have hash of a sample i can test against that would match the string for this yara signature?
Thanks much appreciated.
Comment by JR — Monday 4 April 2016 @ 16:32
@JR The sample is MD5 7d7cd1a3759696e43b87f0fb5ee36325
Comment by Didier Stevens — Friday 8 April 2016 @ 16:18
awesome site, mad respect! any further info/tools on how to deobfuscated your sample? i’m looking at a similar obfuscation technique and i’m having challenges decoding it. thanks!
Comment by gomez — Tuesday 30 August 2016 @ 20:17