Update PDF.yar

36f83378 · mmorenog · 5d94f30c · 36f83378
Commit 36f83378 authored Jan 28, 2016 by mmorenog
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 1 deletions

PDF.yar Malicious_Documents/PDF.yar +2 -1

No files found.
--- a/Malicious_Documents/PDF.yar
+++ b/Malicious_Documents/PDF.yar
@@ -178,7 +178,7 @@ rule multiple_filtering : PDF
                
        strings:
                $magic = { 25 50 44 46 }
-                $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/           
+                $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/ 
 				// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt

        condition: 
@@ -404,6 +404,7 @@ rule invalid_xref_numbers : PDF
                $magic at 0 and not $reg0 and not $reg1
 }

+
 rule js_splitting : PDF
 {
        meta: