Skip to content

R
rules
Commit 7d5a3317 by mmorenog Committed by GitHub
Options

Update Maldoc_PDF.yar

parent 0f8df34c
Showing with 12 additions and 0 deletions
Malicious_Documents/Maldoc_PDF.yar
...@@ -474,3 +474,15 @@ rule XDP_embedded_PDF : PDF raw ...@@ -474,3 +474,15 @@ rule XDP_embedded_PDF : PDF raw
condition: condition:
all of ($s*) and 1 of ($header*) all of ($s*) and 1 of ($header*)
} }
rule PDF_Embedded_Exe : PDF
{
meta:
ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"
strings:
$header = {25 50 44 46}
$Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46}
$exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73}
condition:
$header at 0 and $Launch_Action and $exe
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment