Merge pull request #15 from Yara-Rules/mmorenog-patch-5

Update malicious_document.yar

malicious_document.yar

@@ -155,3 +155,19 @@ rule maldoc_suspicious_strings
     condition:
         any of them
 }
+
+rule mwi_document : exploitdoc
+{
+    meta:
+        description = "MWI generated document"
+        author = "@Ydklijnsma"
+        source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
+
+      strings:
+        $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
+        $mwistat_url = ".php?id="
+        $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
+
+    condition:
+        all of them
+}