From b1a176d2c5b95651787288e182fc13d47f367de1 Mon Sep 17 00:00:00 2001
From: mmorenog <mmorenog@users.noreply.github.com>
Date: Fri, 25 Dec 2015 19:42:09 +0100
Subject: [PATCH] Create EMAIL_Cryptowall.yar

---
 email/EMAIL_Cryptowall.yar | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 email/EMAIL_Cryptowall.yar

diff --git a/email/EMAIL_Cryptowall.yar b/email/EMAIL_Cryptowall.yar
new file mode 100644
index 0000000..65ffec0
--- /dev/null
+++ b/email/EMAIL_Cryptowall.yar
@@ -0,0 +1,52 @@
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Email
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:33 PM
+*/
+
+rule CryptoWall_Resume_phish
+{
+  meta:
+		Author = "http://phishme.com/"
+		reference = "https://github.com/phishme/malware_analysis/blob/master/yara_rules/cryptowall.yar"
+  strings:
+    $hello2="my name is " nocase
+    $file1="resume attached" nocase
+    $file2="my resume is pdf file" nocase
+    $file3="attached is my resume" nocase
+    $sal1="I would appreciate your " nocase
+    $sal2="I am looking forward to hearing from you" nocase
+    $sal3="I look forward to your reply" nocase
+    $sal4="Please message me back" nocase
+    $sal5="our early reply will be appreciated" nocase
+    $file4="attach is my resume" nocase
+    $file5="PDF file is my resume" nocase
+    $sal6="Looking forward to see your response" nocase
+
+  condition:
+    1 of ($hello*) and 1 of ($file*) and 1 of ($sal*)
+}
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Attachment
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:35 PM
+*/
+
+rule docx_macro
+{
+  strings:
+    $header="PK" 
+    $vbaStrings="word/vbaProject.bin" nocase
+
+  condition:
+    $header at 0 and $vbaStrings
+}
--
libgit2 0.26.0