Create Maldoc_malrtf_ole2link.yar

ff9ae90a · mmorenog · GitHub · 35dde116 · ff9ae90a
Commit ff9ae90a authored Apr 21, 2017 by mmorenog Committed by GitHub Apr 21, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 0 deletions

Maldoc_malrtf_ole2link.yar Malicious_Documents/Maldoc_malrtf_ole2link.yar +41 -0

No files found.
--- a/Malicious_Documents/Maldoc_malrtf_ole2link.yar
+++ b/Malicious_Documents/Maldoc_malrtf_ole2link.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+rule malrtf_ole2link : exploit
+{
+	meta:
+		author = "@h3x2b <tracker _AT h3x.eu>"
+		description = "Detect weaponized RTF documents with OLE2Link exploit"
+	strings:
+		//normal rtf beginning
+		$rtf_format_00 = "{\\rtf1"
+		//malformed rtf can have for example {\\rtA1
+		$rtf_format_01 = "{\\rt"
+		//having objdata structure
+		$rtf_olelink_01 = "\\objdata" nocase
+		//hex encoded OLE2Link
+		$rtf_olelink_02 = "4f4c45324c696e6b" nocase
+		//hex encoded docfile magic - doc file albilae
+		$rtf_olelink_03 = "d0cf11e0a1b11ae1" nocase
+		//hex encoded "http://"
+		$rtf_payload_01 = "68007400740070003a002f002f00" nocase
+		//hex encoded "https://"
+		$rtf_payload_02 = "680074007400700073003a002f002f00" nocase
+		//hex encoded "ftp://"
+		$rtf_payload_03 = "6600740070003a002f002f00" nocase
+	condition:
+		//new_file and
+		any of ($rtf_format_*)
+		and all of ($rtf_olelink_*)
+		and any of ($rtf_payload_*)
+}