Skip to content

R
rules
Commit c7bee0f8 by j0sm1
Options

New malicious document category 

New malicious document category
parent 621e4ae0
Showing with 745 additions and 273 deletions
malicious_document.yar Malicious_Documents/malicious_document.yar
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule maldoc_API_hashing
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_function_prolog_signature
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {55 8B EC 81 EC}
$a2 = {55 8B EC 83 C4}
$a3 = {55 8B EC E8}
$a4 = {55 8B EC E9}
$a5 = {55 8B EC EB}
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_structured_exception_handling
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
$a2 = {64 A1 00 00 00 00}
condition:
any of them
}
*/
rule maldoc_indirect_function_call_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}
rule maldoc_indirect_function_call_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}
rule maldoc_indirect_function_call_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}
rule maldoc_find_kernel32_base_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
$a2 = {64 A1 30 00 00 00}
condition:
any of them
}
rule maldoc_find_kernel32_base_method_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {31 ?? ?? 30 64 8B ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}
rule maldoc_find_kernel32_base_method_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
condition:
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}
rule maldoc_getEIP_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}
rule maldoc_getEIP_method_4
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
$a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
any of them
}
rule maldoc_OLE_file_magic_number
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {D0 CF 11 E0}
condition:
$a
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_suspicious_strings
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a01 = "CloseHandle"
$a02 = "CreateFile"
$a03 = "GetProcAddr"
$a04 = "GetSystemDirectory"
$a05 = "GetTempPath"
$a06 = "GetWindowsDirectory"
$a07 = "IsBadReadPtr"
$a08 = "IsBadWritePtr"
$a09 = "LoadLibrary"
$a10 = "ReadFile"
$a11 = "SetFilePointer"
$a12 = "ShellExecute"
$a13 = "UrlDownloadToFile"
$a14 = "VirtualAlloc"
$a15 = "WinExec"
$a16 = "WriteFile"
condition:
any of them
}
*/
rule mwi_document : exploitdoc
{
meta:
description = "MWI generated document"
author = "@Ydklijnsma"
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
strings:
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
$mwistat_url = ".php?id="
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
condition:
all of them
}
rule macrocheck
{
meta:
Author = "Fireeye Labs"
Date = "2014/11/30"
Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
rule office_document_vba
{
meta:
description = "Office document with embedded VBA"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-12-17"
reference = "https://github.com/jipegit/"
strings:
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$zipmagic = "PK"
$97str1 = "_VBA_PROJECT_CUR" wide
$97str2 = "VBAProject"
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
$xmlstr1 = "vbaProject.bin"
$xmlstr2 = "vbaData.xml"
condition:
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}
rule Office_AutoOpen_Macro {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
author = "Florian Roth"
date = "2015-05-28"
score = 60
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
}
rule Embedded_EXE_Cloaking {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule maldoc_API_hashing
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_function_prolog_signature
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {55 8B EC 81 EC}
$a2 = {55 8B EC 83 C4}
$a3 = {55 8B EC E8}
$a4 = {55 8B EC E9}
$a5 = {55 8B EC EB}
condition:
any of them
}
*/
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_structured_exception_handling
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
$a2 = {64 A1 00 00 00 00}
condition:
any of them
}
*/
rule maldoc_indirect_function_call_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}
rule maldoc_indirect_function_call_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}
rule maldoc_indirect_function_call_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}
rule maldoc_find_kernel32_base_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
$a2 = {64 A1 30 00 00 00}
condition:
any of them
}
rule maldoc_find_kernel32_base_method_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {31 ?? ?? 30 64 8B ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}
rule maldoc_find_kernel32_base_method_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
condition:
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}
rule maldoc_getEIP_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}
rule maldoc_getEIP_method_4
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
$a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
any of them
}
rule maldoc_OLE_file_magic_number
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {D0 CF 11 E0}
condition:
$a
}
// 20150909 - Issue #39 - Commented because of High FP rate
/*
rule maldoc_suspicious_strings
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a01 = "CloseHandle"
$a02 = "CreateFile"
$a03 = "GetProcAddr"
$a04 = "GetSystemDirectory"
$a05 = "GetTempPath"
$a06 = "GetWindowsDirectory"
$a07 = "IsBadReadPtr"
$a08 = "IsBadWritePtr"
$a09 = "LoadLibrary"
$a10 = "ReadFile"
$a11 = "SetFilePointer"
$a12 = "ShellExecute"
$a13 = "UrlDownloadToFile"
$a14 = "VirtualAlloc"
$a15 = "WinExec"
$a16 = "WriteFile"
condition:
any of them
}
*/
rule mwi_document : exploitdoc
{
meta:
description = "MWI generated document"
author = "@Ydklijnsma"
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
strings:
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
$mwistat_url = ".php?id="
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
condition:
all of them
}
rule macrocheck
{
meta:
Author = "Fireeye Labs"
Date = "2014/11/30"
Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
rule office_document_vba
{
meta:
description = "Office document with embedded VBA"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-12-17"
reference = "https://github.com/jipegit/"
strings:
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$zipmagic = "PK"
$97str1 = "_VBA_PROJECT_CUR" wide
$97str2 = "VBAProject"
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
$xmlstr1 = "vbaProject.bin"
$xmlstr2 = "vbaData.xml"
condition:
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}
rule Office_AutoOpen_Macro {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
author = "Florian Roth"
date = "2015-05-28"
score = 60
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
}
rule Embedded_EXE_Cloaking {
meta:
description = "Detects an embedded executable in a non-executable file"
author = "Florian Roth"
date = "2015/02/27"
score = 80
strings:
$noex_png = { 89 50 4E 47 }
$noex_pdf = { 25 50 44 46 }
$noex_rtf = { 7B 5C 72 74 66 31 }
$noex_jpg = { FF D8 FF E0 }
$noex_gif = { 47 49 46 38 }
$mz = { 4D 5A }
$a1 = "This program cannot be run in DOS mode"
$a2 = "This program must be run under Win32"
condition:
(
( $noex_png at 0 ) or
( $noex_pdf at 0 ) or
( $noex_rtf at 0 ) or
( $noex_jpg at 0 ) or
( $noex_gif at 0 )
)
and
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
}
Malicious_Documents/pdf.yar 0 → 100644
rule malicious_author : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 5
strings:
$magic = { 25 50 44 46 }
$reg0 = /Creator.?\(yen vaw\)/
$reg1 = /Title.?\(who cis\)/
$reg2 = /Author.?\(ser pes\)/
condition:
$magic at 0 and all of ($reg*)
}
rule suspicious_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$ver = /%PDF-1.\d{1}/
condition:
$magic at 0 and not $ver
}
rule suspicious_creation : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$create0 = /CreationDate \(D:20101015142358\)/
$create1 = /CreationDate \(2008312053854\)/
condition:
$magic at 0 and $header and 1 of ($create*)
}
rule suspicious_title : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 4
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$title0 = "who cis"
$title1 = "P66N7FF"
$title2 = "Fohcirya"
condition:
$magic at 0 and $header and 1 of ($title*)
}
rule suspicious_author : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 4
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
$author1 = "ser pes"
$author2 = "Miekiemoes"
$author3 = "Nsarkolke"
condition:
$magic at 0 and $header and 1 of ($author*)
}
rule suspicious_producer : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$producer0 = /Producer \(Scribus PDF Library/
$producer1 = "Notepad"
condition:
$magic at 0 and $header and 1 of ($producer*)
}
rule suspicious_creator : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$creator0 = "yen vaw"
$creator1 = "Scribus"
$creator2 = "Viraciregavi"
condition:
$magic at 0 and $header and 1 of ($creator*)
}
rule possible_exploit : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/JavaScript /
$attrib3 = /\/ASCIIHexDecode/
$attrib4 = /\/ASCII85Decode/
$action0 = /\/Action/
$action1 = "Array"
$shell = "A"
$cond0 = "unescape"
$cond1 = "String.fromCharCode"
$nop = "%u9090%u9090"
condition:
$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
}
rule shellcode_blob_metadata : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
weight = 4
strings:
$magic = { 25 50 44 46 }
$reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
$reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
$reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
$reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
$reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
$reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
condition:
$magic at 0 and 1 of ($reg*)
}
rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
condition:
$magic at 0 and $attrib
}
rule suspicious_js : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/OpenAction /
$attrib1 = /\/JavaScript /
$js0 = "eval"
$js1 = "Array"
$js2 = "String.fromCharCode"
condition:
$magic at 0 and all of ($attrib*) and 2 of ($js*)
}
rule suspicious_launch_action : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/Launch/
$attrib1 = /\/URL /
$attrib2 = /\/Action/
$attrib3 = /\/F /
condition:
$magic at 0 and 3 of ($attrib*)
}
rule suspicious_embed : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
weight = 2
strings:
$magic = { 25 50 44 46 }
$meth0 = /\/Launch/
$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
$attrib0 = /\/URL /
$attrib1 = /\/Action/
$attrib2 = /\/Filespec/
condition:
$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
}
rule suspicious_obfuscation : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
condition:
$magic at 0 and #reg > 5
}
rule invalid_XObject_js : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "XObject's require v1.4+"
ref = "https://blogs.adobe.com/ReferenceXObjects/"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$ver = /%PDF-1\.[4-9]/
$attrib0 = /\/XObject/
$attrib1 = /\/JavaScript/
condition:
$magic at 0 and not $ver and all of ($attrib*)
}
rule invalid_trailer_structure : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
// Required for a valid PDF
$reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
$reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
condition:
$magic at 0 and not $reg0 and not $reg1
}
rule multiple_versions : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"
weight = 0
strings:
$magic = { 25 50 44 46 }
$s0 = "trailer"
$s1 = "%%EOF"
condition:
$magic at 0 and #s0 > 1 and #s1 > 1
}
rule js_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "JavaScript was introduced in v1.3"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$js = /\/JavaScript/
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $js and not $ver
}
rule JBIG2_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "JBIG2 was introduced in v1.4"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$js = /\/JBIG2Decode/
$ver = /%PDF-1\.[4-9]/
condition:
$magic at 0 and $js and not $ver
}
rule FlateDecode_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "Flate was introduced in v1.2"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$js = /\/FlateDecode/
$ver = /%PDF-1\.[2-9]/
condition:
$magic at 0 and $js and not $ver
}
rule embed_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "EmbeddedFiles were introduced in v1.3"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$embed = /\/EmbeddedFiles/
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $embed and not $ver
}
rule invalid_xref_numbers : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
notes = "This can be also be in a stream..."
weight = 1
strings:
$magic = { 25 50 44 46 }
$reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
$reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/
condition:
$magic at 0 and not $reg0 and not $reg1
}
rule js_splitting : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "These are commonly used to split up JS code"
weight = 2
strings:
$magic = { 25 50 44 46 }
$js = /\/JavaScript/
$s0 = "getAnnots"
$s1 = "getPageNumWords"
$s2 = "getPageNthWord"
$s3 = "this.info"
condition:
$magic at 0 and $js and 1 of ($s*)
}
rule header_evasion : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.' Therefore, if you see this trigger then any other rule looking to match the magic at 0 won't be applicable"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
condition:
$magic in (5..1024) and #magic == 1
}
rule BlackHole_v2 : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
weight = 3
strings:
$magic = { 25 50 44 46 }
$content = "Index[5 1 7 1 9 4 23 4 50"
condition:
$magic at 0 and $content
}
rule XDP_embedded_PDF : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
weight = 1
strings:
$s1 = "<pdf xmlns="
$s2 = "<chunk>"
$s3 = "</pdf>"
$header0 = "%PDF"
$header1 = "JVBERi0"
condition:
all of ($s*) and 1 of ($header*)
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment