Skip to content

R
rules
Commit 70d8fe31 by mmorenog
Options

Update PDF.yar

parent c9987d79
Showing with 16 additions and 0 deletions
Malicious_Documents/PDF.yar
...@@ -51,6 +51,22 @@ rule suspicious_creation : PDF ...@@ -51,6 +51,22 @@ rule suspicious_creation : PDF
$magic at 0 and $header and 1 of ($create*) $magic at 0 and $header and 1 of ($create*)
} }
rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib = /\/Filter.*(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
condition:
$magic at 0 and $attrib
}
rule suspicious_title : PDF rule suspicious_title : PDF
{ {
meta: meta:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment