""ET CURRENT_EVENTS Possible Malicous Macro DL EXE Jul 01 2016 (userdir dotted quad)""

SID: 2022940

Revision: 3

Class Type: trojan-activity

Metadata: affected_product MS_Office, attack_target Client_Endpoint, created_at 2016_07_01, deployment Perimeter, malware_family MalDocGeneric, performance_impact Moderate, signature_severity Major, tag MalDoc, updated_at 2024_04_08

Reference:

  • md5

  • a27bb6ac49f890bbdb97d939ccaa5956

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: ".exe"

  • Value: "/~" Depth: 2

  • Value: !"Referer|3a|"

  • Value: !"Cookie|3a|"

Within:

PCRE: "/^Host\x3a\x20\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}(?:\x3a\d{1,5})?\r$/Hm"

Special Options:

  • http_uri

  • http_uri

  • http_header

source