1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule malrtf_ole2link : exploit
{
meta:
author = "@h3x2b <tracker _AT h3x.eu>"
description = "Detect weaponized RTF documents with OLE2Link exploit"
strings:
//normal rtf beginning
$rtf_format_00 = "{\\rtf1"
//malformed rtf can have for example {\\rtA1
$rtf_format_01 = "{\\rt"
//having objdata structure
$rtf_olelink_01 = "\\objdata" nocase
//hex encoded OLE2Link
$rtf_olelink_02 = "4f4c45324c696e6b" nocase
//hex encoded docfile magic - doc file albilae
$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase
//hex encoded "http://"
$rtf_payload_01 = "68007400740070003a002f002f00" nocase
//hex encoded "https://"
$rtf_payload_02 = "680074007400700073003a002f002f00" nocase
//hex encoded "ftp://"
$rtf_payload_03 = "6600740070003a002f002f00" nocase
condition:
//new_file and
any of ($rtf_format_*)
and all of ($rtf_olelink_*)
and any of ($rtf_payload_*)
}