 Hello, DDS Stevens here, Senior Handler at the Internet Stomp Center. Someone posted a comment on my blog about Xavier's diary entry about the DDE that is seen again in office documents. Some time ago, a couple of years ago, I wrote Yara rules. Here you can see them on my company's website and visa. I wrote Yara rules to detect a DDE in office documents, so OOXML files, so Office Open XML files and also in O&E files. Now these rules, they are designed to be used with Yara itself. So Yara, the rule and then here the sample, and you can see this rule here triggers on the sample. So this is a rule to detect the DDE autofield inside O&E files. And if you use option S, Yara's option S, then you will also see the string. Here the rule and here the location and here the string. And then you can see the PowerShell command and the URL. So that works with Yara. That doesn't work with OleDump. So you have OleDump, you can pass it Yara rules with option Y, and then the sample like this. And then it will apply all the Yara rules on each individual stream. So it will not apply it on the complete document but on the streams inside. And you can see that nothing is matching and there are no matches, no triggers. And that is because of the way I designed those rules, they are actually designed to work with Yara. Because here you have the O&E files, I also test if the file where I do the test if that file is an O&E file. So if the first four bytes are D0, CF, 11, E0, and by the way this is kind of lead speak for DOC file. So if you look at that sample, an ASCII dump of let's say the first 16 bytes, you can see here the first four bytes of the O&E file. And this is this test, read the unsigned 32-bit integer Bigendian at position 0 and match this with this value. If this matches then also check the test. And since the streams inside O&E files do not start with this, the rules will not match. What does start with this is O&E file itself but not the streams inside. So we actually need to suppress this test for these rules to work for O&E streams. And that's something that I'm going to do. So here I will not just suppress these two tests, I will make a copy of the rules, change their name, SA, stand alone and remove this test here, SA, remove this test, save this and now here we have six rules. And now O&E dump, YARA, DDE like this and now the rule office O&E DDE auto SA, stand alone that triggers for that stream. And you can use option YARA strings just like option S with YARA itself to view the strings that are matched. Here you see the DDE auto string with the PowerShell command and here the URL.