Skip to content

Add a new module for OOXML#2192

Closed
RustyNoob-619 wants to merge 3 commits intoVirusTotal:masterfrom
RustyNoob-619:feature/ooxml-module
Closed

Add a new module for OOXML#2192
RustyNoob-619 wants to merge 3 commits intoVirusTotal:masterfrom
RustyNoob-619:feature/ooxml-module

Conversation

@RustyNoob-619
Copy link

@RustyNoob-619 RustyNoob-619 commented Feb 9, 2026

Hi team,

This is my first PR to any open-source project so do apologise if I get something wrong :)

I would like to request a new module for OOXML files which are part of the PKZIP specification. The module focuses on parsing the metadata properties of OOXML files and does not attempt to extract each file entity within the ZIP archive. Have used this PKZIP specification to construct the module https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html

I have built this module with limited knowledge of C and have tested it using the YARA tests function against a malicious document. The inspiration behind this is that various threat actors use such modern documents which follow the OOXML format during the initial phase of the intrusions.

The following have been added:

  • A ooxml.md file to document and provide brief explanation of the module and its use.
  • A ooxml.h which is the header file for the ooxml.c
  • A ooxml.c under the modules/ooxml path which is the core module file

I have the supporting files that I can share as well such as modification to existing files (makefile.am, module_list, configure.ac) as well as new files (sample YARA ruleset, test-suite.log after running the make check and others)

Please let me know what is required from my end, I am super thrilled for this to be added as an official YARA module which will be huge for the 100DaysofYARA challenge and beyond, cheers

@RustyNoob-619
Create ooxml.c
7bd5e99 
Added a new module called ooxml to parse metadata from OOXML files based on the wider PKZIP specification
@RustyNoob-619
Create ooxml.h
fa99c60 
created a Header file for the ooxml module
@RustyNoob-619
Create ooxml.md
7485aa0 
Added documentation for the ooxml module in markdown
@plusvic
Copy link
Member

plusvic commented Feb 10, 2026

Hi @RustyNoob-619, thank you for contributing to this project, but unfortunately we are not accepting new PRs for YARA because it is in maintenance mode. See: https://virustotal.github.io/yara-x/blog/yara-x-is-stable/

Any new contribution should be done in its successor: https://github.com/VirusTotal/yara-x

The bad news: It's a completely different code base in Rust not in C, so it can be hard for people not accustomed to Rust.
The goods news: This module is is very similar to others that basically consists in reading some manifest file from a ZIP file. See: VirusTotal/yara-x#540

@plusvic plusvic closed this Feb 10, 2026
@RustyNoob-619
Copy link
Author

RustyNoob-619 commented Feb 10, 2026
edited
Loading

No worries @plusvic , it is totally understandable, just like how you got a section in the docs around writing your own module in YARA, it would be nice to have something similar for YARA-X. I might just take up learning Rust and give some justification to my X handle, haha. I am still keen to reimplement this module in Rust for YARA-X :)

@plusvic
Copy link
Member

plusvic commented Feb 10, 2026

Sure, you have this: https://github.com/VirusTotal/yara-x/blob/main/docs/ModuleDeveloperGuide.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RustyNoob-619 @plusvic