1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule maldoc_API_hashing
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}
rule maldoc_function_prolog_signature
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {55 8B EC 81 EC}
$a2 = {55 8B EC 83 C4}
$a3 = {55 8B EC E8}
$a4 = {55 8B EC E9}
$a5 = {55 8B EC EB}
condition:
any of them
}
rule maldoc_structured_exception_handling
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
$a2 = {64 A1 00 00 00 00}
condition:
any of them
}
rule maldoc_indirect_function_call_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}
rule maldoc_indirect_function_call_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}
rule maldoc_indirect_function_call_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}
rule maldoc_find_kernel32_base_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
$a2 = {64 A1 30 00 00 00}
condition:
any of them
}
rule maldoc_find_kernel32_base_method_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {31 ?? ?? 30 64 8B ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}
rule maldoc_find_kernel32_base_method_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
condition:
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}
rule maldoc_getEIP_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}
rule maldoc_getEIP_method_4
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
$a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
any of them
}
rule maldoc_OLE_file_magic_number
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {D0 CF 11 E0}
condition:
$a
}
rule maldoc_suspicious_strings
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a01 = "CloseHandle"
$a02 = "CreateFile"
$a03 = "GetProcAddr"
$a04 = "GetSystemDirectory"
$a05 = "GetTempPath"
$a06 = "GetWindowsDirectory"
$a07 = "IsBadReadPtr"
$a08 = "IsBadWritePtr"
$a09 = "LoadLibrary"
$a10 = "ReadFile"
$a11 = "SetFilePointer"
$a12 = "ShellExecute"
$a13 = "UrlDownloadToFile"
$a14 = "VirtualAlloc"
$a15 = "WinExec"
$a16 = "WriteFile"
condition:
any of them
}