Skip to content

R
rules
Commit 8880b2d9 by mmorenog Committed by GitHub
Options

Update malicious_document.yar

parent 5c293f80
Showing with 3 additions and 1 deletions
Malicious_Documents/malicious_document.yar
...@@ -272,6 +272,7 @@ rule Embedded_EXE_Cloaking : maldoc { ...@@ -272,6 +272,7 @@ rule Embedded_EXE_Cloaking : maldoc {
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) ) for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
} }
// This rule have beed improved by Javier Rascon
rule RTF_Shellcode : maldoc rule RTF_Shellcode : maldoc
{ {
meta: meta:
...@@ -285,7 +286,8 @@ meta: ...@@ -285,7 +286,8 @@ meta:
strings: strings:
$rtfmagic={7B 5C 72 74 66} $rtfmagic={7B 5C 72 74 66}
$scregex=/[39 30]{2,20}/ /* $scregex=/[39 30]{2,20}/ */
$scregex=/(39 30){2,20}/
condition: condition:
($rtfmagic at 0) and ($scregex) ($rtfmagic at 0) and ($scregex)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment