Default clam sigs obviously are not catching these, but wondering if anyone has them included in a third party that rather FP friendly.

I also just tested a yara from here, and it seems to work, but not certain about FPs from it either.

https://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/

Anyone have a suggestion?

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300