alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Suspicious VBS Encoding Observed in BottleEK"; flow:established,to_client; http.content_type; content:"application/octet-stream"; file.data; content:"Execute chr("; depth:12; fast_pattern; pcre:"/^-?\d+[/+]/R"; content:"CLng(&H"; within:7; pcre:"/^[A-F0-9]+/R"; content:"))&chr("; within:7; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; content:"CLng(&H"; distance:0; content:"))&chr("; distance:0; classtype:bad-unknown; sid:2029125; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_12_12, deployment Perimeter, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_24;)