Didier Stevens

Tuesday 22 March 2016

YARA Rule To Detect VBE Scripts

Filed under: maldoc,Malware,My Software — Didier Stevens @ 0:00

Malicious documents that drop VBE scripts (VBScript Encode scripts) are in the wild. Here is an example:



I have a YARA rule to detect VBE scripts:




yara-rules-V0.0.6.zip (https)
MD5: 01CB37759AC30EEA8D2B66226609C73E
SHA256: 1B56C1D7D0E1A8F500674B74F93F3E7DE6B2EFC85259ABE3A57F1DCA458CCFF8


  1. Hi Didier, thanks for your whole work.
    I have a sample that has VBE scripts in UserForm like you mention above. I used contains_vbe_file.yara but i have encountered an error “AttributeError: ‘str’ object has no attribute ‘rule'”. Do you have any idea about this error?

    Best regards…

    Comment by Melik — Wednesday 23 March 2016 @ 9:30

  2. @Melik. No idea. Can you provide more details? What command did you issue and can you report the full error message?

    Comment by Didier Stevens — Wednesday 23 March 2016 @ 14:50

  3. Hi Didier,
    Just one reminder.
    maldoc.yara is the version 0.0.1 in this package.
    But there is 0.0.2

    Comment by Anonymous — Friday 25 March 2016 @ 16:14

  4. […] Didier Stevens has released a new YARA rule to use with oledump to detect malicious VBE (VBScript Encode scripts) scripts. The example shows a malicious VBE script detected within a ZIP file. YARA Rule To Detect VBE Scripts […]

    Pingback by Week 12 – Thisweekin4n6 — Saturday 26 March 2016 @ 9:19

  5. Fixed with version 0.0.7. But don’t worry, it’s only comments.

    Comment by Didier Stevens — Monday 28 March 2016 @ 18:30

  6. Do you happen to have an MD5 hash for the sample to test against this rule?

    Comment by JR — Wednesday 30 March 2016 @ 17:54

  7. @Melik or Didier do you happen to have hash of a sample i can test against that would match the string for this yara signature?

    Thanks much appreciated.

    Comment by JR — Monday 4 April 2016 @ 16:32

  8. @JR The sample is MD5 7d7cd1a3759696e43b87f0fb5ee36325

    Comment by Didier Stevens — Friday 8 April 2016 @ 16:18

  9. awesome site, mad respect! any further info/tools on how to deobfuscated your sample? i’m looking at a similar obfuscation technique and i’m having challenges decoding it. thanks!

    Comment by gomez — Tuesday 30 August 2016 @ 20:17

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: