/* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule content : mail { meta: author = "A.Sanchez <asanchez@koodous.com>" description = "Detects scam emails with phishing attachment." test1 = "email/eml/transferencia1.eml" test2 = "email/eml/transferencia2.eml" strings: $subject = "Asunto: Justificante de transferencia" nocase $body = "Adjunto justificante de transferencia" condition: all of them } rule attachment : mail { meta: author = "A.Sanchez <asanchez@koodous.com>" description = "Detects scam emails with phishing attachment." test1 = "email/eml/transferencia1.eml" test2 = "email/eml/transferencia2.eml" strings: $filename = "filename=\"scan001.pdf.html\"" $pleaseEnter = "NTAlNkMlNjUlNjElNzMlNjUlMjAlNjUlNkUlNzQlNjUlNzIlMjAlN" // Please enter $emailReq = "NkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUlNzglMzIlMkUlNDUlNkQlNjElNjklNkMlM0I" // ment.index2.Email; $pAssign = "NzAlMjAlM0QlMjAlNjQlNkYlNjMlNzUlNkQlNjUlNkUlNzQlMkUlNjklNkUlNjQlNjUl" // p = document.inde condition: all of them }