Update malicious_document.yar

0cdda429 · mmorenog · 838cf125 · 0cdda429
Commit 0cdda429 authored Feb 27, 2016 by mmorenog
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 19 deletions

malicious_document.yar Malicious_Documents/malicious_document.yar +19 -19

No files found.
--- a/Malicious_Documents/malicious_document.yar
+++ b/Malicious_Documents/malicious_document.yar
@@ -3,7 +3,7 @@

 */

-rule maldoc_API_hashing
+rule maldoc_API_hashing : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -16,7 +16,7 @@ rule maldoc_API_hashing

 // 20150909 - Issue #39 - Commented because of High FP rate
 /*
-rule maldoc_function_prolog_signature
+rule maldoc_function_prolog_signature : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -33,7 +33,7 @@ rule maldoc_function_prolog_signature

 // 20150909 - Issue #39 - Commented because of High FP rate
 /*
-rule maldoc_structured_exception_handling
+rule maldoc_structured_exception_handling : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -45,7 +45,7 @@ rule maldoc_structured_exception_handling
 }
 */

-rule maldoc_indirect_function_call_1
+rule maldoc_indirect_function_call_1 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -55,7 +55,7 @@ rule maldoc_indirect_function_call_1
        for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
 }

-rule maldoc_indirect_function_call_2
+rule maldoc_indirect_function_call_2 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -65,7 +65,7 @@ rule maldoc_indirect_function_call_2
        for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
 }

-rule maldoc_indirect_function_call_3
+rule maldoc_indirect_function_call_3 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -75,7 +75,7 @@ rule maldoc_indirect_function_call_3
        $a
 }

-rule maldoc_find_kernel32_base_method_1
+rule maldoc_find_kernel32_base_method_1 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -86,7 +86,7 @@ rule maldoc_find_kernel32_base_method_1
        any of them
 }

-rule maldoc_find_kernel32_base_method_2
+rule maldoc_find_kernel32_base_method_2 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -96,7 +96,7 @@ rule maldoc_find_kernel32_base_method_2
        for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
 }

-rule maldoc_find_kernel32_base_method_3
+rule maldoc_find_kernel32_base_method_3 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -106,7 +106,7 @@ rule maldoc_find_kernel32_base_method_3
        for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
 }

-rule maldoc_getEIP_method_1
+rule maldoc_getEIP_method_1 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -116,7 +116,7 @@ rule maldoc_getEIP_method_1
        $a
 }

-rule maldoc_getEIP_method_4
+rule maldoc_getEIP_method_4 : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -127,7 +127,7 @@ rule maldoc_getEIP_method_4
        any of them
 }

-rule maldoc_OLE_file_magic_number
+rule maldoc_OLE_file_magic_number : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -139,7 +139,7 @@ rule maldoc_OLE_file_magic_number

 // 20150909 - Issue #39 - Commented because of High FP rate
 /*
-rule maldoc_suspicious_strings
+rule maldoc_suspicious_strings : maldoc
 {
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
@@ -165,7 +165,7 @@ rule maldoc_suspicious_strings
 }
 */

-rule mwi_document : exploitdoc
+rule mwi_document : exploitdoc : maldoc
 {
    meta:
        description = "MWI generated document"
@@ -181,7 +181,7 @@ rule mwi_document : exploitdoc
        all of them
 }

-rule macrocheck
+rule macrocheck : maldoc
 {
    meta:
        Author      = "Fireeye Labs"
@@ -202,7 +202,7 @@ rule macrocheck
    condition:
        all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
 }
-rule office_document_vba
+rule office_document_vba : maldoc
 {
 	meta:
 		description = "Office document with embedded VBA"
@@ -225,7 +225,7 @@ rule office_document_vba
 		($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
 }

-rule Office_AutoOpen_Macro {
+rule Office_AutoOpen_Macro : maldoc {
 	meta:
 		description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
 		author = "Florian Roth"
@@ -245,7 +245,7 @@ rule Office_AutoOpen_Macro {
 		uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
 }

-rule Embedded_EXE_Cloaking {
+rule Embedded_EXE_Cloaking : maldoc {
    meta:
        description = "Detects an embedded executable in a non-executable file"
        author = "Florian Roth"
@@ -272,7 +272,7 @@ rule Embedded_EXE_Cloaking {
        for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
 }

-rule RTF_Shellcode
+rule RTF_Shellcode : maldoc
 {
 meta: