Thank you for posting this.  We have the malware component and it has matured well.

This illustration does not have its equal in RSA documentation.

In my mind it is an excellent high level training aid and guide through the technology.

Thanks again.

Thanks Eric, Awesome diagram. 

It should be included in every Malware course (internal and external).

hmmm it's curious the bit about handling 2003<= ole office and >=2007 office is not pictured... 

the concerning bit is - the diagram is missing ole2003 and xml2007 office handling almost entirely =\ . 

aside from 'fingerprint and filetype parser' .... and then what? how do we add yara rules on ole and xml based ones, etc. 

those are referenced in the green box where the parser spectrum_lua matches the filetypes listed in the box including office 95-2003 and office 2007 documents among others or am I misinterpreting your comment? 

Is your MA not getting office files to analyze?  If it is, you would probably be able to import the Yara signatures into the MA appliance for your DDE hunting. You might want to add the RSA specific elements to the signature so the rule is visible in the MA interface (I haven't tested this just reading the docs)

The diagram is my attempt to gather all the parts that go into the malware service and all the places you can filter out or add in other file formats to get them into the malware engine.  If there are parts that are missing please let me know and I can update the doc accordingly.

I'm by no means the authority on this, just a humble Sales Engineer trying to fill a gap that I saw in documentation that helped my learning of the product.

hello Eric,

Let me be more constructive:

please add yara office 2003/2007 examples.

to the yara rules folder same way that there's pdf and pe ones - specificaly one for 2003 ole docs, one for office 2007 ooxml docs.

yes i saw the parsers/content types - do the 'filetype' meta keys map directly 

(edit nevermind this) please list ALL the filetype meta key values mapping to office docs 2003/2007+ [assuming the default 10.6.4 parsers on packet decoders] (edit nevermind, the yara page says '

)

specifically:

a) ole 2003 docs - people use something like oletools to grab specific streams and then run yara rules. whether there's any extra compression or encoding - not sure. [for the example in the other thread - no, but looking at a specific stream may save malware resources but I'm surmising it's entirely possible [and sometimes we can work around it in the yara rule, sometimes not and need something like the tools below] . is anything similar used in malware server/do we have access to tags to address specific sections/streams . e.g. for the other example we can probably run Detecting DDE in MS Office documents | NVISO LABS – blog   aka https://github.com/Neo23x0/signature-base/blob/master/yara/gen_dde_in_office_docs.yar 

Didier Stevens | (blog \’DidierStevens)  <--- oletools

directly (the ole rules) 

b) for ooxml 2007 docs- how do we access the extracted xml resources in the malware yara rules - it's pointless running yara rules on a compressed zip 😃 - likewise, can we only select specific files in the rule

either malware can help directly, or there needs to be a way to pipeline these automatically for post analysis... and i don't mean by retrospective SA queries and manual extraction .

> please list ALL the filetype meta key values mapping to office docs 2003/2007+

The possible filetype values relevant to Office docs, as registered by fingerprint_office_lua, are:

office 95-2003 word document

office 95-2003 excel document

office 95-2003 powerpoint document

office 95-2003 document

office 2007 document

thanks Will. 

so, for the yara doc link. Investigation: Implement Custom YARA Content 

inside yara rules special section with fileType meta

(fig1) Possible (yara fileType 'meta') values are: WINDOWS_PE, MS_OFFICE (includes RTF?), and PDF. If not specified, the default value is WINDOWS_PE.

a) I presume MS_OFFICE  above (fig1) - map to the filetype meta below (fig2)

b) how about RTF (does it also?) [does the RTF content type get included in the office * filetype meta values below and map to the MS_OFFICE yara meta type when writing rules? 

c) does office2007 ooxml docs - does yara on Malware server. get access to decompressed XML and binary resources from the docx (for example) prior to being handed to yara - if not by default is there an option?

(fig2)

filetype SA meta:

office 95-2003 word document

office 95-2003 excel document

office 95-2003 powerpoint document

office 95-2003 document

office 2007 document

<----rtf? ---> 

RTF are identified by fingerprint_rtf_lua as filetype value "rtf".