The rule in Excel_Hidden_Macro_Sheet.rule is overly broad and detects lots of other files that happen to be in the Microsoft COM Structured Storage container format and happen to contain the short patterns searched for. In particular, The VirusTotal.com copy of the rule often triggers on Microsoft Windows Installer (MSI) packages, which are all based on COM Structured Storage and are often large files, thereby increasing the risk of a false match on 4 byte patterns.
A better rule should start by looking for actual markers of Excel format files, then actual markers of the inner file containing macros, then search that inner file for relevant patterns. Many Anti-malware software libraries already contain generic code for looking inside "COM structured storage" containers to detect Office 9x macros, hopefully the Yara framework includes functions to do the same.
The rule in Excel_Hidden_Macro_Sheet.rule is overly broad and detects lots of other files that happen to be in the Microsoft COM Structured Storage container format and happen to contain the short patterns searched for. In particular, The VirusTotal.com copy of the rule often triggers on Microsoft Windows Installer (MSI) packages, which are all based on COM Structured Storage and are often large files, thereby increasing the risk of a false match on 4 byte patterns.
A better rule should start by looking for actual markers of Excel format files, then actual markers of the inner file containing macros, then search that inner file for relevant patterns. Many Anti-malware software libraries already contain generic code for looking inside "COM structured storage" containers to detect Office 9x macros, hopefully the Yara framework includes functions to do the same.