RTF_Shellcode detection rule - CVE-2012-0158

Info: https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-malicious-microsoft-office-documents-cve-2012-0158

RTF_Shellcode detection rule - CVE-2012-0158
Info: https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-malicious-microsoft-office-documents-cve-2012-0158
afdfac77 · j0sm1 · c7bee0f8 · afdfac77
Commit afdfac77 authored Jan 19, 2016 by j0sm1
Show whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

malicious_document.yar Malicious_Documents/malicious_document.yar +19 -0

No files found.
--- a/Malicious_Documents/malicious_document.yar
+++ b/Malicious_Documents/malicious_document.yar
@@ -271,3 +271,22 @@ rule Embedded_EXE_Cloaking {
        and
        for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
 }
+
+rule RTF_Shellcode
+{
+meta:
+
+                author = "RSA-IR – Jared Greenhill"
+                date = "01/21/13"
+                description = "identifies RTF's with potential shellcode"
+                filetype = "RTF"
+
+
+
+strings:
+                $rtfmagic={7B 5C 72 74 66}
+                $scregex=/[39 30]{2,20}/
+condition:
+
+                ($rtfmagic at 0) and ($scregex)
+}