Create EMAIL_Cryptowall.yar

email/EMAIL_Cryptowall.yar

+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Email
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:33 PM
+*/
+
+rule CryptoWall_Resume_phish
+{
+  meta:
+		Author = "http://phishme.com/"
+		reference = "https://github.com/phishme/malware_analysis/blob/master/yara_rules/cryptowall.yar"
+  strings:
+    $hello2="my name is " nocase
+    $file1="resume attached" nocase
+    $file2="my resume is pdf file" nocase
+    $file3="attached is my resume" nocase
+    $sal1="I would appreciate your " nocase
+    $sal2="I am looking forward to hearing from you" nocase
+    $sal3="I look forward to your reply" nocase
+    $sal4="Please message me back" nocase
+    $sal5="our early reply will be appreciated" nocase
+    $file4="attach is my resume" nocase
+    $file5="PDF file is my resume" nocase
+    $sal6="Looking forward to see your response" nocase
+
+  condition:
+    1 of ($hello*) and 1 of ($file*) and 1 of ($sal*)
+}
+
+/*
+  Description: None
+  Priority: 5
+  Scope: Against Attachment
+  Tags: None
+  Created in PhishMe's Triage on September 14, 2015 2:35 PM
+*/
+
+rule docx_macro
+{
+  strings:
+    $header="PK" 
+    $vbaStrings="word/vbaProject.bin" nocase
+
+  condition:
+    $header at 0 and $vbaStrings
+}