rule TrojanDownloader_O97M_Obfuse_RVU_MTB{
	meta:
		description = "TrojanDownloader:O97M/Obfuse.RVU!MTB,SIGNATURE_TYPE_MACROHSTR_EXT,05 00 05 00 05 00 00 "
		
	strings :
		$a_01_0 = {74 69 74 75 20 3d 20 22 68 22 20 2b 20 22 74 74 22 20 2b 20 22 70 73 22 20 2b 20 22 3a 2f 2f 62 69 74 22 20 2b 20 22 2e 64 6f 2f 22 20 2b 20 22 66 50 51 4b 59 22 } //1 titu = "h" + "tt" + "ps" + "://bit" + ".do/" + "fPQKY"
		$a_01_1 = {75 20 3d 20 22 75 72 22 20 26 20 43 68 72 28 31 30 38 29 20 26 20 43 68 72 28 31 30 39 29 20 26 20 22 6f 6e 22 } //1 u = "ur" & Chr(108) & Chr(109) & "on"
		$a_01_2 = {3d 20 22 3d 49 22 20 2b 20 22 46 28 49 53 4e 55 4d 42 45 52 28 53 45 41 52 43 48 28 22 22 33 32 22 22 2c 47 45 54 2e 57 4f 52 4b 53 50 41 43 45 28 31 29 29 29 2c 20 47 4f 54 4f 28 42 31 32 37 29 2c 20 47 4f 54 4f 28 43 31 32 37 29 29 22 } //1 = "=I" + "F(ISNUMBER(SEARCH(""32"",GET.WORKSPACE(1))), GOTO(B127), GOTO(C127))"
		$a_01_3 = {45 78 63 65 6c 53 68 65 65 74 2e 52 61 6e 67 65 28 22 41 31 32 37 22 29 20 3d 20 22 3d 45 52 52 22 20 2b 20 22 4f 52 22 20 2b 20 22 28 46 41 4c 53 45 29 22 } //1 ExcelSheet.Range("A127") = "=ERR" + "OR" + "(FALSE)"
		$a_01_4 = {28 22 43 6f 22 20 26 20 43 68 72 28 31 30 39 29 20 26 20 22 6d 65 6e 22 20 26 20 43 68 72 28 31 31 36 29 20 26 20 22 73 22 29 2e 56 61 6c 75 65 } //1 ("Co" & Chr(109) & "men" & Chr(116) & "s").Value
	condition:
		((#a_01_0  & 1)*1+(#a_01_1  & 1)*1+(#a_01_2  & 1)*1+(#a_01_3  & 1)*1+(#a_01_4  & 1)*1) >=5
 
}