Skip to content

R
rules
Commit 4f540ed8 by halos
Options

Search PDF header in first 1024 bytes

parent a1f02d7a
Showing with 24 additions and 24 deletions
Malicious_Documents/Maldoc_PDF.yar
......@@ -17,7 +17,7 @@ rule malicious_author : PDF raw
$reg1 = /Title.?\(who cis\)/
$reg2 = /Author.?\(ser pes\)/
condition:
$magic at 0 and all of ($reg*)
$magic in (0..1024) and all of ($reg*)
}
rule suspicious_version : PDF raw
......@@ -31,7 +31,7 @@ rule suspicious_version : PDF raw
$magic = { 25 50 44 46 }
$ver = /%PDF-1.\d{1}/
condition:
$magic at 0 and not $ver
$magic in (0..1024) and not $ver
}
rule suspicious_creation : PDF raw
......@@ -48,7 +48,7 @@ rule suspicious_creation : PDF raw
$create0 = /CreationDate \(D:20101015142358\)/
$create1 = /CreationDate \(2008312053854\)/
condition:
$magic at 0 and $header and 1 of ($create*)
$magic in (0..1024) and $header and 1 of ($create*)
}
rule multiple_filtering : PDF raw
......@@ -64,7 +64,7 @@ weight = 3
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
condition:
$magic at 0 and $attrib
$magic in (0..1024) and $attrib
}
rule suspicious_title : PDF raw
......@@ -82,7 +82,7 @@ rule suspicious_title : PDF raw
$title1 = "P66N7FF"
$title2 = "Fohcirya"
condition:
$magic at 0 and $header and 1 of ($title*)
$magic in (0..1024) and $header and 1 of ($title*)
}
rule suspicious_author : PDF raw
......@@ -101,7 +101,7 @@ rule suspicious_author : PDF raw
$author2 = "Miekiemoes"
$author3 = "Nsarkolke"
condition:
$magic at 0 and $header and 1 of ($author*)
$magic in (0..1024) and $header and 1 of ($author*)
}
rule suspicious_producer : PDF raw
......@@ -118,7 +118,7 @@ rule suspicious_producer : PDF raw
$producer0 = /Producer \(Scribus PDF Library/
$producer1 = "Notepad"
condition:
$magic at 0 and $header and 1 of ($producer*)
$magic in (0..1024) and $header and 1 of ($producer*)
}
rule suspicious_creator : PDF raw
......@@ -136,7 +136,7 @@ rule suspicious_creator : PDF raw
$creator1 = "Scribus"
$creator2 = "Viraciregavi"
condition:
$magic at 0 and $header and 1 of ($creator*)
$magic in (0..1024) and $header and 1 of ($creator*)
}
rule possible_exploit : PDF raw
......@@ -161,7 +161,7 @@ rule possible_exploit : PDF raw
$nop = "%u9090%u9090"
condition:
$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
$magic in (0..1024) and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
}
rule shellcode_blob_metadata : PDF raw
......@@ -182,7 +182,7 @@ rule shellcode_blob_metadata : PDF raw
$reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
condition:
$magic at 0 and 1 of ($reg*)
$magic in (0..1024) and 1 of ($reg*)
}
rule suspicious_js : PDF raw
......@@ -203,7 +203,7 @@ rule suspicious_js : PDF raw
$js2 = "String.fromCharCode"
condition:
$magic at 0 and all of ($attrib*) and 2 of ($js*)
$magic in (0..1024) and all of ($attrib*) and 2 of ($js*)
}
rule suspicious_launch_action : PDF raw
......@@ -222,7 +222,7 @@ rule suspicious_launch_action : PDF raw
$attrib3 = /\/F /
condition:
$magic at 0 and 3 of ($attrib*)
$magic in (0..1024) and 3 of ($attrib*)
}
rule suspicious_embed : PDF raw
......@@ -243,7 +243,7 @@ rule suspicious_embed : PDF raw
$attrib2 = /\/Filespec/
condition:
$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
$magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*)
}
rule suspicious_obfuscation : PDF raw
......@@ -258,7 +258,7 @@ rule suspicious_obfuscation : PDF raw
$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
condition:
$magic at 0 and #reg > 5
$magic in (0..1024) and #reg > 5
}
rule invalid_XObject_js : PDF raw
......@@ -278,7 +278,7 @@ rule invalid_XObject_js : PDF raw
$attrib1 = /\/JavaScript/
condition:
$magic at 0 and not $ver and all of ($attrib*)
$magic in (0..1024) and not $ver and all of ($attrib*)
}
rule invalid_trailer_structure : PDF raw
......@@ -295,7 +295,7 @@ rule invalid_trailer_structure : PDF raw
$reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
condition:
$magic at 0 and not $reg0 and not $reg1
$magic in (0..1024) and not $reg0 and not $reg1
}
rule multiple_versions : PDF raw
......@@ -312,7 +312,7 @@ rule multiple_versions : PDF raw
$s1 = "%%EOF"
condition:
$magic at 0 and #s0 > 1 and #s1 > 1
$magic in (0..1024) and #s0 > 1 and #s1 > 1
}
rule js_wrong_version : PDF raw
......@@ -330,7 +330,7 @@ rule js_wrong_version : PDF raw
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $js and not $ver
$magic in (0..1024) and $js and not $ver
}
rule JBIG2_wrong_version : PDF raw
......@@ -348,7 +348,7 @@ rule JBIG2_wrong_version : PDF raw
$ver = /%PDF-1\.[4-9]/
condition:
$magic at 0 and $js and not $ver
$magic in (0..1024) and $js and not $ver
}
rule FlateDecode_wrong_version : PDF raw
......@@ -366,7 +366,7 @@ rule FlateDecode_wrong_version : PDF raw
$ver = /%PDF-1\.[2-9]/
condition:
$magic at 0 and $js and not $ver
$magic in (0..1024) and $js and not $ver
}
rule embed_wrong_version : PDF raw
......@@ -384,7 +384,7 @@ rule embed_wrong_version : PDF raw
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $embed and not $ver
$magic in (0..1024) and $embed and not $ver
}
rule invalid_xref_numbers : PDF raw
......@@ -401,7 +401,7 @@ rule invalid_xref_numbers : PDF raw
$reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
$reg1 = /endstream.*\r?\n?endobj.*\r?\n?startxref/
condition:
$magic at 0 and not $reg0 and not $reg1
$magic in (0..1024) and not $reg0 and not $reg1
}
rule js_splitting : PDF raw
......@@ -421,7 +421,7 @@ rule js_splitting : PDF raw
$s3 = "this.info"
condition:
$magic at 0 and $js and 1 of ($s*)
$magic in (0..1024) and $js and 1 of ($s*)
}
rule header_evasion : PDF raw
......@@ -452,7 +452,7 @@ rule BlackHole_v2 : PDF raw
$content = "Index[5 1 7 1 9 4 23 4 50"
condition:
$magic at 0 and $content
$magic in (0..1024) and $content
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment