Merge pull request #129 from halos/master

Fixed 'RTF_Shellcode' rule regular expression

Merge pull request #129 from halos/master
Fixed 'RTF_Shellcode' rule regular expression
642e4150 · mmorenog · GitHub · 8880b2d9 · fb786a03 · 642e4150
Commit 642e4150 authored Jul 11, 2016 by mmorenog Committed by GitHub Jul 11, 2016
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 6 deletions

malicious_document.yar Malicious_Documents/malicious_document.yar +5 -6

No files found.
--- a/Malicious_Documents/malicious_document.yar
+++ b/Malicious_Documents/malicious_document.yar
@@ -275,20 +275,19 @@ rule Embedded_EXE_Cloaking : maldoc {
 // This rule have beed improved by Javier Rascon
 rule RTF_Shellcode : maldoc
 {
-meta:
+    meta:

        author = "RSA-IR – Jared Greenhill"
        date = "01/21/13"
        description = "identifies RTF's with potential shellcode"
            filetype = "RTF"

-
-
-strings:
+    strings:
        $rtfmagic={7B 5C 72 74 66}
        /* $scregex=/[39 30]{2,20}/ */
-                $scregex=/(39 30){2,20}/
-condition:
+        $scregex=/(90){2,20}/
+
+    condition:

        ($rtfmagic at 0) and ($scregex)
 }