PyPI - pdfalyzer - Versions diffs - 1.16.6__py3-none-any.whl → 1.16.7__py3-none-any.whl - Mend

pdfalyzer 1.16.6py3-none-any.whl → 1.16.7py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pdfalyzer might be problematic. Click here for more details.

Files changed (11) hide show

CHANGELOG.md +5 -0
pdfalyzer/detection/yaralyzer_helper.py +19 -15
pdfalyzer/yara_rules/PDF.yara +898 -177
pdfalyzer/yara_rules/PDF_binary_stream.yara +1 -3
pdfalyzer/yara_rules/didier_stevens.yara +248 -0
pdfalyzer/yara_rules/pdf_malware.yara +2996 -0
{pdfalyzer-1.16.6.dist-info → pdfalyzer-1.16.7.dist-info}/METADATA +5 -7
{pdfalyzer-1.16.6.dist-info → pdfalyzer-1.16.7.dist-info}/RECORD +11 -9
{pdfalyzer-1.16.6.dist-info → pdfalyzer-1.16.7.dist-info}/LICENSE +0 -0
{pdfalyzer-1.16.6.dist-info → pdfalyzer-1.16.7.dist-info}/WHEEL +0 -0
{pdfalyzer-1.16.6.dist-info → pdfalyzer-1.16.7.dist-info}/entry_points.txt +0 -0

pdfalyzer/yara_rules/PDF.yara CHANGED Viewed

@@ -1,4 +1,6 @@
+import "hash"
 import "math"
+import "pe"
 // rule pdf: PDF
@@ -19,8 +21,7 @@ import "math"
 // }
-rule Cobaltgang_PDF_Metadata_Rev_A
-{
+rule Cobaltgang_PDF_Metadata_Rev_A {
    meta:
         description = "Find documents saved from the same potential Cobalt Gang PDF template"
         author = "Palo Alto Networks Unit 42"
@@ -33,8 +34,7 @@ rule Cobaltgang_PDF_Metadata_Rev_A
 }
-rule PDF_Embedded_Exe : PDF
-{
+rule PDF_Embedded_Exe : PDF {
 	meta:
 		ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"
 	strings:
@@ -53,7 +53,6 @@ rule SUSP_Bad_PDF {
         reference = "Internal Research"
         date = "2018-05-03"
         hash1 = "d8c502da8a2b8d1c67cb5d61428f273e989424f319cfe805541304bdb7b921a8"
    strings:
         $s1 = "         /F (http//" ascii
         $s2 = "        /F (\\\\\\\\" ascii
@@ -63,8 +62,7 @@ rule SUSP_Bad_PDF {
 }
-rule malicious_author : PDF
-{
+rule malicious_author : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -80,8 +78,7 @@ rule malicious_author : PDF
 }
-rule suspicious_version : PDF
-{
+rule suspicious_version : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -95,8 +92,7 @@ rule suspicious_version : PDF
 }
-rule suspicious_creation : PDF
-{
+rule suspicious_creation : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -112,8 +108,7 @@ rule suspicious_creation : PDF
 }
-rule suspicious_title : PDF
-{
+rule suspicious_title : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -131,8 +126,7 @@ rule suspicious_title : PDF
 }
-rule suspicious_author : PDF
-{
+rule suspicious_author : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -150,8 +144,7 @@ rule suspicious_author : PDF
 }
-rule suspicious_producer : PDF
-{
+rule suspicious_producer : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -168,17 +161,14 @@ rule suspicious_producer : PDF
 }
-rule suspicious_creator : PDF
-{
+rule suspicious_creator : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
 		weight = 3
 	strings:
 		$magic = { 25 50 44 46 }
 		$header = /%PDF-1\.(3|4|6)/
 		$creator0 = "yen vaw"
 		$creator1 = "Scribus"
 		$creator2 = "Viraciregavi"
@@ -187,40 +177,12 @@ rule suspicious_creator : PDF
 }
-rule possible_exploit : PDF
-{
-	meta:
-		author = "Glenn Edwards (@hiddenillusion)"
-		version = "0.1"
-		weight = 3
-	strings:
-		$magic = { 25 50 44 46 }
-		$attrib0 = /\/JavaScript /
-		$attrib3 = /\/ASCIIHexDecode/
-		$attrib4 = /\/ASCII85Decode/
-		$action0 = /\/Action/
-		$action1 = "Array"
-		$shell = "A"
-		$cond0 = "unescape"
-		$cond1 = "String.fromCharCode"
-		$nop = "%u9090%u9090"
-	condition:
-		$magic in (0..1024) and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
-}
-rule shellcode_blob_metadata : PDF
-{
+rule shellcode_blob_metadata : PDF {
     meta:
         author = "Glenn Edwards (@hiddenillusion)"
         version = "0.1"
         description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
         weight = 4
     strings:
         $magic = { 25 50 44 46 }
         $reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
@@ -233,13 +195,12 @@ rule shellcode_blob_metadata : PDF
         $magic in (0..1024) and 1 of ($reg*)
 }
-rule multiple_filtering : PDF
-{
+rule multiple_filtering : PDF {
     meta:
         author = "Glenn Edwards (@hiddenillusion)"
         version = "0.2"
         weight = 3
     strings:
         $magic = { 25 50 44 46 }
         $attrib = /\/Filter.*?(\/ASCIIHexDecode\W+?|\/LZWDecode\W+?|\/ASCII85Decode\W+?|\/FlateDecode\W+?|\/RunLengthDecode){2}?/
@@ -248,32 +209,12 @@ rule multiple_filtering : PDF
         $magic in (0..1024) and $attrib
 }
-rule suspicious_js : PDF
-{
-	meta:
-		author = "Glenn Edwards (@hiddenillusion)"
-		version = "0.1"
-		weight = 3
-	strings:
-		$magic = { 25 50 44 46 }
-		$attrib0 = /\/OpenAction /
-		$attrib1 = /\/JavaScript /
-		$js0 = "eval"
-		$js1 = "Array"
-		$js2 = "String.fromCharCode"
-	condition:
-		$magic in (0..1024) and all of ($attrib*) and 2 of ($js*)
-}
-rule suspicious_launch_action : PDF
-{
+rule suspicious_launch_action : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
 		weight = 2
 	strings:
 		$magic = { 25 50 44 46 }
 		$attrib0 = /\/Launch/
@@ -285,8 +226,7 @@ rule suspicious_launch_action : PDF
 }
-rule suspicious_embed : PDF
-{
+rule suspicious_embed : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -294,7 +234,6 @@ rule suspicious_embed : PDF
 		weight = 2
 	strings:
 		$magic = { 25 50 44 46 }
 		$meth0 = /\/Launch/
 		$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
 		$attrib0 = /\/URL /
@@ -305,13 +244,11 @@ rule suspicious_embed : PDF
 }
-rule suspicious_obfuscation : PDF
-{
+rule suspicious_obfuscation : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
 		weight = 2
 	strings:
 		$magic = { 25 50 44 46 }
 		$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
@@ -320,8 +257,7 @@ rule suspicious_obfuscation : PDF
 }
-rule invalid_XObject_js : PDF
-{
+rule invalid_XObject_js : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		description = "XObject's require v1.4+"
@@ -331,7 +267,6 @@ rule invalid_XObject_js : PDF
 	strings:
 		$magic = { 25 50 44 46 }
 		$ver = /%PDF-1\.[4-9]/
 		$attrib0 = /\/XObject/
 		$attrib1 = /\/JavaScript/
 	condition:
@@ -339,13 +274,11 @@ rule invalid_XObject_js : PDF
 }
-rule invalid_trailer_structure : PDF
-{
+rule invalid_trailer_structure : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion), @malvidin"
 		version = "0.2"
 		weight = 1
     strings:
 		$magic = "%PDF"  // Required for a valid PDF
 		$reg0 = /trailer[ \r\n]*<<.{0,1000}\/Size\b/s
@@ -355,8 +288,7 @@ rule invalid_trailer_structure : PDF
 }
-rule multiple_versions : PDF
-{
+rule multiple_versions : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -372,15 +304,13 @@ rule multiple_versions : PDF
 }
-rule js_wrong_version : PDF
-{
+rule js_wrong_version : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		description = "JavaScript was introduced in v1.3"
 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
 		version = "0.1"
 		weight = 2
     strings:
         $magic = { 25 50 44 46 }
         $js = /\/JavaScript/
@@ -390,8 +320,7 @@ rule js_wrong_version : PDF
 }
-rule JBIG2_wrong_version : PDF
-{
+rule JBIG2_wrong_version : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		description = "JBIG2 was introduced in v1.4"
@@ -408,8 +337,7 @@ rule JBIG2_wrong_version : PDF
 }
-rule FlateDecode_wrong_version : PDF
-{
+rule FlateDecode_wrong_version : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		description = "Flate was introduced in v1.2"
@@ -426,15 +354,13 @@ rule FlateDecode_wrong_version : PDF
 }
-rule embed_wrong_version : PDF
-{
+rule embed_wrong_version : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		description = "EmbeddedFiles were introduced in v1.3"
 		ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
 		version = "0.1"
 		weight = 1
     strings:
         $magic = { 25 50 44 46 }
         $embed = /\/EmbeddedFiles/
@@ -444,8 +370,7 @@ rule embed_wrong_version : PDF
 }
-rule invalid_xref_numbers : PDF
-{
+rule invalid_xref_numbers : PDF {
     meta:
         author = "Glenn Edwards (@hiddenillusion)"
         version = "0.1"
@@ -462,14 +387,12 @@ rule invalid_xref_numbers : PDF
 }
-rule js_splitting : PDF
-{
+rule js_splitting : PDF {
     meta:
         author = "Glenn Edwards (@hiddenillusion)"
         version = "0.1"
         description = "These are commonly used to split up JS code"
         weight = 2
     strings:
         $magic = { 25 50 44 46 }
         $js = /\/JavaScript/
@@ -482,8 +405,7 @@ rule js_splitting : PDF
 }
-rule header_evasion : PDF
-{
+rule header_evasion : PDF {
     meta:
             author = "Glenn Edwards (@hiddenillusion)"
             description = "3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.'  Therefore, if you see this trigger then any other rule looking to match the magic at 0 won't be applicable"
@@ -498,8 +420,7 @@ rule header_evasion : PDF
 }
-rule BlackHole_v2 : PDF
-{
+rule BlackHole_v2 : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -547,8 +468,7 @@ rule blackhole2_pdf : EK PDF{
         18 of them
 }
-rule XDP_embedded_PDF : PDF
-{
+rule XDP_embedded_PDF : PDF {
 	meta:
 		author = "Glenn Edwards (@hiddenillusion)"
 		version = "0.1"
@@ -564,27 +484,12 @@ rule XDP_embedded_PDF : PDF
 		all of ($s*) and 1 of ($header*)
 }
-// rule pdfjs_hunter
-// {
-//     strings:
-//         $pdf_header = "%PDF"
-//     condition:
-//         new_file and
-//         (
-//             file_type contains "pdf" or
-//             $pdf_header in (0..1024)
-//         )
-//         and tags contains "js-embedded"
-// }
-rule PDF_Document_with_Embedded_IQY_File
-{
+rule PDF_Document_with_Embedded_IQY_File {
     meta:
         Author = "InQuest Labs"
         Description = "This signature detects IQY files embedded within PDF documents which use a JavaScript OpenAction object to run the IQY."
         Reference = "https://blog.inquest.net"
     strings:
         $pdf_magic = "%PDF"
         $efile = /<<\/JavaScript [^\x3e]+\/EmbeddedFile/
@@ -629,29 +534,13 @@ rule PDF_Document_with_Embedded_IQY_File
       $pdf_magic in (0..60)  and all of them
 }
-// rule malpdf_hunter
-// {
-//     strings:
-//         $pdf_header = "%PDF"
-//         $encrypted  = "/Encrypt"
-//     condition:
-//         new_file and
-//         (
-//             file_type contains "pdf" or
-//             $pdf_header in (0..1024)
-//         )
-//         and (positives > 0 or $encrypted)
-// }
-rule Base64_Encoded_Powershell_Directives
-{
+rule Base64_Encoded_Powershell_Directives {
     meta:
         Author      = "InQuest Labs"
         Reference   = "https://inquest.net/blog/2019/07/19/base64-encoded-powershell-pivots"
         Samples     = "https://github.com/InQuest/malware-samples/tree/master/2019-07-Base64-Encoded-Powershell-Directives"
         Description = "This signature detects base64 encoded Powershell directives."
     strings:
         // Copy-Item
         $enc01 = /(Q\x32\x39weS\x31JdGVt[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Db\x33B\x35LUl\x30ZW[\x30-\x33]|[\x2b\x2f-\x39A-Za-z][\x30EUk]NvcHktSXRlb[Q-Za-f])/
@@ -692,27 +581,6 @@ rule Base64_Encoded_Powershell_Directives
 }
-// any office or PDF documents with a phishing hit.
-// rule phish_hunter
-// {
-//     strings:
-//         $pdf_header = "%PDF"
-//     condition:
-//         new_file and
-//         (
-//             file_type contains "office" or
-//             file_type contains "pdf"    or
-//             tags      contains "office" or
-//             tags      contains "pdf"    or
-//             $pdf_header in (0..1024)
-//         )
-//             and
-//         (
-//             signatures matches /phish/i
-//         )
-// }
 rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
     meta:
         description = "Detects PDF documents as used by BoomBox as described in APT29 NOBELIUM report"
@@ -729,7 +597,7 @@ rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
         $fp2 = "endstream" ascii
         $fp3 = { 20 6F 62 6A 0A } /*  obj\x0a */
     condition:
-        $ah1 at 0 and $af1 at (filesize - 7) and filesize < 100KB
+            $ah1 at 0 and $af1 at (filesize - 7) and filesize < 100KB
         and math.entropy(16, filesize) > 7
         and not 1 of ($fp*)
 }
@@ -768,14 +636,12 @@ rule PDF_Containing_JavaScript {
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "c82e29dcaed3c71e05449cb9463f3efb7114ea22b6f45b16e09eae32db9f5bef"
 	strings:
 		$pdf_tag1 = /\x25\x50\x44\x46\x2d/
 		$js_tag1  = "/JavaScript" fullword
 		$js_tag2  = "/JS"		  fullword
 	condition:
 		$pdf_tag1 in (0..1024) and ($js_tag1 or $js_tag2)
 }
@@ -789,7 +655,6 @@ rule JS_PDF_Data_Submission {
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "a0adbe66e11bdeaf880b81b41cd63964084084a413069389364c98da0c4d2a13"
 	strings:
         $pdf_header = "%PDF-"
         $js = /(\/JS|\/JavaScript)/ nocase
@@ -797,8 +662,8 @@ rule JS_PDF_Data_Submission {
         $inq_tail = "INQUEST-PP=pdfparser"
 	condition:
         ($pdf_header in (0..1024) or $inq_tail in (filesize-30..filesize))
-            and $js
-            and $a1
+        and $js
+        and $a1
 }
@@ -845,7 +710,6 @@ rule PDF_Launch_Function {
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "c2f2d1de6bf973b849725f1069c649ce594a907c1481566c0411faba40943ee5"
 	strings:
 		$pdf_header = "%PDF-"
 		$launch = "/Launch" nocase
@@ -923,12 +787,12 @@ example three:
 Multiple protocols supported for the /F include, both http and UNC.
 */
 rule NTLM_Credential_Theft_via_PDF {
     meta:
         Author      = "InQuest Labs"
         URL         = "https://github.com/InQuest/yara-rules"
         Description = "This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes."
     strings:
         // we have three regexes here so that we catch all possible orderings but still meet the requirement of all three parts.
         $badness1 = /\s*\/AA\s*<<\s*\/[OC]\s*<<((\s*\/\D\s*\[[^\]]+\])(\s*\/S\s*\/GoTo[ER])|(\s*\/S\s*\/GoTo[ER])(\s*\/\D\s*\[[^\]]+\]))\s*\/F\s*\((\\\\\\\\[a-z0-9]+\.[^\\]+\\\\[a-z0-9]+|https?:\/\/[^\)]+)\)/ nocase
@@ -939,8 +803,7 @@ rule NTLM_Credential_Theft_via_PDF {
 }
-rule PDF_with_Launch_Action_Function
-{
+rule PDF_with_Launch_Action_Function {
     meta:
         author         = "InQuest Labs"
         description    = "This signature detects the launch function within a PDF file. This function allows the document author to attach an executable file."
@@ -950,7 +813,6 @@ rule PDF_with_Launch_Action_Function
         labs_reference = "N/A"
         labs_pivot     = "N/A"
         samples        = "a9fbb50dedfd84e1f4a3507d45b1b16baa43123f5ae98dae6aa9a5bebeb956a8"
 	strings:
 		$pdf_header = "%PDF-"
 		$a = "<</S/Launch/Type/Action/Win<</F"
@@ -959,8 +821,7 @@ rule PDF_with_Launch_Action_Function
 }
-rule PDF_JS_guillemet_close_in_Adobe_Type1_font
-{
+rule PDF_JS_guillemet_close_in_Adobe_Type1_font {
     meta:
         author             = "Michel de Cryptadamus"
         description        = "Found in a PDF that caused a security breach. Exact mechanism unknown but /F means URL, JS is JS, backticks are backticks, and bb is the closing guillemet quote (the one used in PDF docs to close objects). Taken together the sequence is basically shorthand PDF speak for \"close the PDF object prematurely\"."
@@ -970,7 +831,6 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font
         breach_description = "https://cryptadamus.substack.com/p/the-hack-at-the-end-of-the-universe"
         samples            = "61d47fbfe855446d77c7da74b0b3d23dbcee4e4e48065a397bbf09a7988f596e"
         in_the_wild        = true
 	strings:
         // "/FJS`\xbb`"
 		$url_js_backtick_close_obj = {2F 46 4A 53 60 BB 60}
@@ -1083,3 +943,864 @@ rule GIFTEDCROOK {
         uint32(0) == 0x25504446 and
         any of them
 }
+rule PK_AdobePDF_hse : Adobe {
+    meta:
+        description = "Phishing Kit impersonating Adobe PDF online"
+        licence = "GPL-3.0"
+        author = "Thomas 'tAd' Damonneville"
+        date = "2021-07-25"
+        comment = "Phishing Kit - Adobe PDF Online - 'Hades Silent Exploits'"
+    strings:
+        // the zipfile working on
+        $zip_file = { 50 4b 03 04 }
+        // specific directory found in PhishingKit
+        $spec_dir = "adobe"
+        // specific file found in PhishingKit
+        $spec_file = "index.php"
+        $spec_file2 = "login.php"
+        $spec_file3 = "logg.html"
+    condition:
+        // look for the ZIP header
+        uint32(0) == 0x04034b50 and
+        // make sure we have a local file header
+        $zip_file and
+        $spec_dir and
+        // check for file
+        all of ($spec_file*)
+}
+rule PK_AdobePDF_antenna : Adobe {
+    meta:
+        description = "Phishing Kit impersonating Adobe PDF Online"
+        licence = "AGPL-3.0"
+        author = "Thomas 'tAd' Damonneville"
+        reference = ""
+        date = "2024-04-15"
+        comment = "Phishing Kit - Adobe PDF Online - contain antenna.css file"
+    strings:
+        // the zipfile working on
+        $zip_file = { 50 4b 03 04 }
+        // specific directory found in PhishingKit
+        $spec_dir = "core"
+        // specific file found in PhishingKit
+        $spec_file = "antenna.css"
+        $spec_file2 = "screenshot_23.png"
+        $spec_file3 = "fx.js"
+        $spec_file4 = "post.php"
+        $spec_file5 = "22222222222.png"
+        $spec_file6 = "gh-adobe-impersonation-scam-loginwindow.png"
+    condition:
+        // look for the ZIP header
+        uint32(0) == 0x04034b50 and
+        // make sure we have a local file header
+        $zip_file and
+        all of ($spec_dir*) and
+        // check for file
+        all of ($spec_file*)
+}
+rule PK_AdobePDF_dotloop : Adobe {
+    meta:
+        description = "Phishing Kit impersonating Adobe PDF Online"
+        licence = "AGPL-3.0"
+        author = "Thomas 'tAd' Damonneville"
+        date = "2024-08-28"
+        comment = "Phishing Kit - Adobe PDF Online - 'From: Dotloop'"
+    strings:
+        // the zipfile working on
+        $zip_file = { 50 4b 03 04 }
+        // specific directory found in PhishingKit
+        $spec_dir = "asset"
+        // specific file found in PhishingKit
+        $spec_file = "signin.php"
+        $spec_file2 = "contract.jpg"
+        $spec_file3 = "Microsoft_Edge_logo_(2019).svg.png"
+        $spec_file4 = "KYC-ENG (confidential).pdf"
+    condition:
+        // look for the ZIP header
+        uint32(0) == 0x04034b50 and
+        // make sure we have a local file header
+        $zip_file and
+        all of ($spec_dir*) and
+        // check for file
+        all of ($spec_file*)
+}
+rule APT_NGO_wuaclt_PDF{
+    meta:
+        author = "AlienVault Labs"
+        license = "GPL-2.0"
+        reference = "https://github.com/alankrit29/signature-base/blob/4f8c5d7e39ee5c369c42b89e765d552e5dbafb23/APT_NGO.yar#L30"
+    strings:
+        $pdf = "%PDF" nocase
+        $comment = {3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A}
+    condition:
+        $pdf at 0 and $comment in (0..200)
+}
+rule LokiBot_Dropper_ScanCopyPDF_Feb18 {
+   meta:
+      description = "Auto-generated rule - file Scan Copy.pdf.com (https://github.com/alankrit29/signature-base/blob/4f8c5d7e39ee5c369c42b89e765d552e5dbafb23/crime_loki_bot.yar)"
+      license = "https://creativecommons.org/licenses/by-nc/4.0/"
+      author = "Florian Roth"
+      reference = "https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5"
+      date = "2018-02-14"
+      hash1 = "6f8ff26a5daf47effdea5795cdadfff9265c93a0ebca0ce5a4144712f8cab5be"
+   strings:
+      $x1 = "Win32           Scan Copy.pdf   " fullword wide
+      $a1 = "C:\\Program Files (x86)\\Microsoft Visual Studio\\VB98\\VB6.OLB" fullword ascii
+      $s1 = "Compiling2.exe" fullword wide
+      $s2 = "Unstalled2" fullword ascii
+      $s3 = "Compiling.exe" fullword wide
+   condition:
+      uint16(0) == 0x5a4d and filesize < 1000KB and $x1 or
+      ( $a1 and 1 of ($s*) )
+}
+rule Docm_in_PDF {
+   meta:
+      description = "Detects an embedded DOCM in PDF combined with OpenAction"
+      license = "https://creativecommons.org/licenses/by-nc/4.0/"
+      author = "Florian Roth"
+      reference = "Internal Research https://github.com/alankrit29/signature-base/blob/4f8c5d7e39ee5c369c42b89e765d552e5dbafb23/general_officemacros.yar"
+      date = "2017-05-15"
+   strings:
+      $a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
+      $a2 = "OpenAction" ascii fullword
+      $a3 = "JavaScript" ascii fullword
+   condition:
+      uint32(0) == 0x46445025 and all of them
+}
+rule HKTL_EmbeddedPDF {
+   meta:
+      description = "Detects Embedded PDFs which can start malicious content (https://github.com/alankrit29/signature-base/blob/4f8c5d7e39ee5c369c42b89e765d552e5dbafb23/thor-hacktools.yar#L4437)"
+      author = "Tobias Michalski"
+      reference = "https://twitter.com/infosecn1nja/status/1021399595899731968?s=12"
+      date = "2018-07-25"
+   strings:
+      $x1 = "/Type /Action\n /S /JavaScript\n /JS (this.exportDataObject({" fullword ascii
+      $s1 = "(This PDF document embeds file" fullword ascii
+      $s2 = "/Names << /EmbeddedFiles << /Names" fullword ascii
+      $s3 = "/Type /EmbeddedFile" fullword ascii
+   condition:
+      uint16(0) == 0x5025 and
+      2 of ($s*) and $x1
+}
+rule suspicious_js {
+	meta:
+        severity = 6
+        type = "pdf"
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		description = "possible exploit"
+        reference = "https://github.com/a232319779/mmpi/blob/master/mmpi/data/yara/pdf/pdf.yara"
+	strings:
+		$magic = { 25 50 44 46 }
+		$attrib0 = /\/OpenAction /
+		$attrib1 = /\/JavaScript /
+		$js0 = "eval"
+		$js1 = "Array"
+		$js2 = "String.fromCharCode"
+	condition:
+		$magic at 0 and all of ($attrib*) and 2 of ($js*)
+}
+rule possible_exploit {
+	meta:
+        severity = 9
+        type = "pdf"
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 3
+		url = "https://github.com/hiddenillusion/AnalyzePDF/blob/master/pdf_rules.yara"
+        description = "possible exploit"
+        reference = "https://github.com/a232319779/mmpi/blob/master/mmpi/data/yara/pdf/pdf.yara"
+	strings:
+		$magic = { 25 50 44 46 }
+		$attrib0 = /\/JavaScript /
+		$attrib3 = /\/ASCIIHexDecode/
+		$attrib4 = /\/ASCII85Decode/
+		$action0 = /\/Action/
+		$action1 = "Array"
+		$shell = "A"
+		$cond0 = "unescape"
+		$cond1 = "String.fromCharCode"
+		$nop = "%u9090%u9090"
+	condition:
+		$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
+}
+rule Detect_JavaScript {
+    meta:
+        description = "Detects embedded JavaScript in PDF files"
+        type = "JavaScript"
+    strings:
+        $js1 = /\/JavaScript/i
+        $js2 = /\/JS/i
+        $js3 = /\/AA\s*<<\s*\/O\s*<<\s*\/S\s*\/JavaScript\s*\/JS\s*\(/i
+        $js4 = /app\.alert/i
+        $js5 = /this\.execute/i
+        $js6 = /this\.print/i
+        $js7 = /this\.saveAs/i
+        $js8 = /util\.printd/i
+        $js9 = /app\.setTimeOut/i
+        $js10 = /event\.target/i
+    condition:
+        $js1 or $js2 or $js3 or $js4 or $js5 or $js6 or $js7 or $js8 or $js9 or $js10
+}
+rule Detect_Launch_Action {
+    meta:
+        description = "Detects Launch actions in PDF files"
+        type = "Launch"
+    strings:
+        $launch1 = /\/Launch/i
+        $launch2 = /\/Action\s*>>\s*\/Type\s*\/Action/i
+        $launch3 = /\/S\s*\/Launch/i
+        $launch4 = /\/Launch\s*<<\s*\/S\s*\/Launch/i
+        $launch5 = /\/Launch\s*<<\s*\/F\s*<<\s*\/S\s*\/Launch/i
+        $launch6 = /\/Launch\s*\/F\s*\(/i
+        $launch7 = /\/Launch\s*<<\s*\/F\s*\(/i
+        $launch8 = /\/Launch\s*<<\s*\/Win\s*\(/i
+        $launch9 = /\/Launch\s*<<\s*\/Mac\s*\(/i
+        $launch10 = /\/Launch\s*\/Win\s*\(/i
+    condition:
+        $launch1 or $launch2 or $launch3 or $launch4 or $launch5 or $launch6 or $launch7 or $launch8 or $launch9 or $launch10
+}
+rule Detect_OpenAction {
+    meta:
+        description = "Detects OpenAction in PDF files"
+        type = "OpenAction"
+    strings:
+        $openAction1 = /\/OpenAction/i
+        $openAction2 = /\/AA/i
+        $openAction3 = /\/OpenAfterSave/i
+        $openAction4 = /\/OpenDocument/i
+        $openAction5 = /\/Open/i
+        $openAction6 = /\/O\s*<<\s*\/S\s*\/JavaScript\s*\/JS\s*\(/i
+        $openAction7 = /\/O\s*<<\s*\/S\s*\/JavaScript\s*\/JS/i
+        $openAction8 = /\/O\s*<<\s*\/JS\s*\(/i
+        $openAction9 = /\/O\s*<<\s*\/JS/i
+        $openAction10 = /\/Open\s*<<\s*\/JavaScript\s*\/JS\s*\(/i
+    condition:
+        $openAction1 or $openAction2 or $openAction3 or $openAction4 or $openAction5 or $openAction6 or $openAction7 or $openAction8 or $openAction9 or $openAction10
+}
+rule Detect_Embedded_Files {
+    meta:
+        description = "Detects embedded files in PDF files"
+        type = "EmbeddedFile"
+    strings:
+        $embed1 = /\/EmbeddedFile/i
+        $embed2 = /\/FileAttachment/i
+        $embed3 = /\/Type\s*\/EmbeddedFile/i
+        $embed4 = /\/EF\s*<<\s*\/F\s*<<\s*\/Type\s*\/EmbeddedFile/i
+        $embed5 = /\/EmbeddedFile\s*<<\s*\/Type\s*\/EmbeddedFile/i
+        $embed6 = /\/Filespec\s*<<\s*\/EF\s*<<\s*\/F\s*<<\s*\/Type\s*\/EmbeddedFile/i
+        $embed7 = /\/EmbeddedFile\s*\/Filespec/i
+        $embed8 = /\/EmbeddedFile\s*\/Names/i
+        $embed9 = /\/EmbeddedFile\s*\/Names\s*<<\s*\/Type\s*\/EmbeddedFile/i
+        $embed10 = /\/EmbeddedFile\s*\/Names\s*<<\s*\/Type\s*\/EmbeddedFile\s*\/Filespec/i
+    condition:
+        $embed1 or $embed2 or $embed3 or $embed4 or $embed5 or $embed6 or $embed7 or $embed8 or $embed9 or $embed10
+}
+rule Detect_Shellcode {
+    meta:
+        description = "Detects suspicious shellcode patterns in PDF files"
+        type = "Shellcode"
+    strings:
+        $shellcode1 = { 6a 60 68 63 61 6c 63 54 59 66 83 e9 ff 33 d2 64 8b 52 30 8b 52 0c 8b 52 14 8b 72 28 }
+        $shellcode2 = { 31 c0 50 68 2e 65 78 65 68 63 61 6c 63 8b dc 88 04 24 50 53 51 52 83 ec 04 }
+        $shellcode3 = { 50 51 52 56 57 53 89 e5 83 e4 f0 31 c0 64 8b 40 30 8b 40 0c 8b 70 1c ad 8b 40 08 }
+        $shellcode4 = { 89 e5 81 ec a0 00 00 00 31 c0 50 50 50 50 40 89 e1 50 89 e2 57 51 52 50 83 ec 04 }
+        $shellcode5 = { 31 c0 50 68 2e 64 61 74 61 68 5c 64 61 74 61 68 63 61 6c 63 89 e3 8b 53 3c }
+        $shellcode6 = { 31 d2 52 68 78 2e 74 78 68 2e 64 61 74 68 5c 5c 5c 68 2e 5c 5c 5c 68 5c 5c 5c }
+        $shellcode7 = { 68 5c 61 5c 61 5c 61 68 74 2e 74 78 68 2e 64 61 74 68 5c 5c 5c 68 2e 5c 5c 5c }
+        $shellcode8 = { 68 5c 61 5c 61 5c 61 68 78 2e 74 78 68 2e 64 61 74 68 5c 5c 5c 68 2e 5c 5c 5c }
+        $shellcode9 = { 68 61 5c 61 5c 68 61 5c 68 74 2e 78 68 2e 61 74 68 5c 5c 68 2e 5c 68 5c 5c }
+        $shellcode10 = { 68 61 5c 61 5c 61 68 74 2e 74 68 2e 64 68 5c 5c 5c 68 2e 5c 5c 68 5c 5c 68 }
+    condition:
+        $shellcode1 or $shellcode2 or $shellcode3 or $shellcode4 or $shellcode5 or $shellcode6 or $shellcode7 or $shellcode8 or $shellcode9 or $shellcode10
+}
+rule Detect_URLs {
+    meta:
+        description = "Detects suspicious URLs in PDF files"
+        type = "URL"
+    strings:
+        $url1 = /ftp:\/\/[^\s]+/ nocase
+        $url2 = /file:\/\/[^\s]+/ nocase
+        $url3 = /:\/\/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/ nocase
+    condition:
+        $url1 or $url2 or $url3
+}
+rule Detect_PDF_Embedded_Files {
+    meta:
+		atk_type = "Macro"
+        description = "Detects embedded files in PDF files"
+        author = "groommang"
+        date = "2024-06-25"
+    strings:
+        $pdf_header = {25 50 44 46}
+        $embedded_file = /EmbeddedFile/
+    condition:
+        $pdf_header at 0 and $embedded_file
+}
+rule Detect_PDF_Suspicious_AcroForms {
+    meta:
+      	atk_type = "Macro"
+        description = "Detects suspicious AcroForms in PDF files"
+        author = "groommang"
+        date = "2024-06-25"
+    strings:
+        $pdf_header = {25 50 44 46}
+        $acroform = /AcroForm/
+    condition:
+        $pdf_header at 0 and $acroform
+}
+rule oAuth_Phishing_PDF {
+    meta:
+        id = "789YmThaTvLDaE1V2Oqx7q"
+        fingerprint = "c367bca866de0b066e291b4e45216cbb68cc23297b002a29ca3c8d640a7db78e"
+        version = "1.0"
+        creation_date = "2022-01-01"
+        first_imported = "2022-02-03"
+        last_modified = "2022-02-03"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies potential phishing PDFs that target oAuth."
+        category = "MALWARE"
+        reference = "https://twitter.com/ffforward/status/1484127442679836676"
+    strings:
+        $pdf = {25504446} //%PDF
+        $s1 = "/URI (https://login.microsoftonline.com/common/oauth2/" ascii wide nocase
+        $s2 = "/URI (https://login.microsoftonline.com/consumers/oauth2" ascii wide nocase
+        $s3 = "/URI (https://accounts.google.com/o/oauth2" ascii wide nocase
+    condition:
+        $pdf at 0 and any of ($s*)
+}
+rule Adobe_XMP_Identifier {
+    meta:
+        author         = "InQuest Labs"
+		description    = "This signature identifies Adobe Extensible Metadata Platform (XMP) identifiers embedded within files. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. These identifiers can be used to track both malicious and benign graphics within common Microsoft and Adobe document lures."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "http://wwwimages.adobe.com/content/dam/acom/en/products/xmp/Pdfs/XMPAssetRelationships.pdf"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
+        labs_pivot     = "https://labs.inquest.net/dfi/search/ioc/xmpid/xmp.did%3AEDC9411A6A5F11E2838BB9184F90E845##eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ=="
+        samples        = "1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
+	strings:
+        $xmp_md5  = /xmp\.[dio]id[-: _][a-f0-9]{32}/  nocase ascii wide
+        $xmp_guid = /xmp\.[dio]id[-: _][a-f0-9]{36}/ nocase ascii wide
+	condition:
+		any of them
+}
+rule Generic_Phishing_PDF {
+    meta:
+        atk_type = "Generic_Phishing_PDF"
+        id = "6iE0XEqqhVGNED6Z8xIMr1"
+        fingerprint = "f3f31ec9651ee41552d41dbd6650899d7a33beea46ed1c3329c3bbd023fe128e"
+        version = "1.0"
+        creation_date = "2019-03-01"
+        first_imported = "2021-12-30"
+        last_modified = "2021-12-30"
+        status = "RELEASED"
+        sharing = "TLP:WHITE"
+        source = "BARTBLAZE"
+        author = "@bartblaze"
+        description = "Identifies generic phishing PDFs."
+        category = "MALWARE"
+        reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
+    strings:
+        $pdf = {25504446}
+        $s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
+        $s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
+    condition:
+        $pdf at 0 and all of ($s*)
+}
+rule Embedded_EXE_Cloaking : maldoc {
+    meta:
+        description = "Detects an embedded executable in a non-executable file"
+        author = "Florian Roth"
+        date = "2015/02/27"
+        score = 80
+    strings:
+        $noex_png = { 89 50 4E 47 }
+        $noex_pdf = { 25 50 44 46 }
+        $noex_rtf = { 7B 5C 72 74 66 31 }
+        $noex_jpg = { FF D8 FF E0 }
+        $noex_gif = { 47 49 46 38 }
+        $mz  = { 4D 5A }
+        $a1 = "This program cannot be run in DOS mode"
+        $a2 = "This program must be run under Win32"
+    condition:
+        (
+            ( $noex_png at 0 ) or
+            ( $noex_pdf at 0 ) or
+            ( $noex_rtf at 0 ) or
+            ( $noex_jpg at 0 ) or
+            ( $noex_gif at 0 )
+        )
+        and
+        for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
+}
+rule PDF_EMBEDDED_DOCM {
+    meta:
+        description = "Find pdf files that have an embedded docm with openaction"
+        author = "Brian Carter"
+        last_modified = "May 11, 2017"
+    strings:
+        $magic = { 25 50 44 46 2d }
+        $txt1 = "EmbeddedFile"
+        $txt2 = "docm)"
+        $txt3 = "JavaScript" nocase
+    condition:
+        $magic at 0 and all of ($txt*)
+}
+rule pdf_fake_password {
+    meta:
+        date = "2022-11-23"
+        description = "Detects PDF obfuscated via /Encrypt and /AuthEvent/DocOpen but opens without password"
+        author = "Paul Melson @pmelson"
+        hash = "0e182afae5301ac3097ae3955aa8c894ec3a635acbec427d399ccc4aac3be3d6"
+    strings:
+        $docopen = "<</CF<</StdCF<</AuthEvent/DocOpen/" ascii
+        $ownerpass = /\/Filter\/Standard\/Length (40|128|256)\/O\(/
+        $userpass = "/StmF/StdCF/StrF/StdCF/U(" ascii
+        $perms = { 2f 50 65 72 6d 73 28 5b 07 ec 96 e8 68 ef 35 2e 75 02 16 0f 5c 5c 22 d1 29 }
+    condition:
+        uint32(0) == 0x46445025 and
+        all of them
+}
+rule pdf_mal_script {
+	strings:
+		$magic = { 25 50 44 46 }
+		$action0 = "<</S/Launch/Type/Action/Win<<" nocase ascii
+		$action1 = "/Type/Action>>" nocase ascii
+		$action2 = "/OpenAction" nocase ascii
+		$action3 = "<< /Type /Action" nocase ascii
+		$action4 = "/Type /Action" nocase ascii
+		$uri = "/S /URI /Type /Action /URI"
+		$launch = "/S /Launch /Win" nocase ascii
+		$cmd = "(cmd.exe)" nocase ascii
+		$ps = "powershell" nocase ascii
+		$pscom0 = "DownloadFile" nocase ascii
+		$pscom1 = "payload" nocase ascii
+		$homepath = "%HOMEPATH%" nocase ascii
+		$start0 = "start" nocase ascii
+		$start1 = "startxref" nocase ascii
+		$js0 = "<</S/JavaScript/JS" nocase ascii
+		$js1 = /\/JS \([^)]+?\\/
+		$js2 = "/JavaScript" nocase ascii
+		$emb0 = "/EmbeddedFiles" nocase ascii
+		$emb1 = "/EmbeddedFile" nocase ascii
+		$url0 = "https://shapeupfitnessdkk-my.sharepoint.com/:b:/g/personal/michelle_shapeupfitness_dk/Ebd2GDh2N8JErL23JmMNmw8BQA7JVpGiS_C6TGkERpma4A?e=xBbtrV"
+		$url1 = "https://ipfs.io/ipfs/QmSyYCjyTMyo1dM2dWBY6ExTmodmU1oSBWTdmEDTLrEenC#http://www.booking.com/"
+		$url2 = "https://romacul.com.br/workshop/wp-content/mail.outlookoffice365.com.html"
+		$url3 = "https://www.hitplus.fr/2018/click.php?url=https://cutt.ly/seU8MT6t#F8i_bfW"
+		$url4 = "https://etehadshipping.com/"
+		$url5 = "https://afarm.net/"
+		$url6 = "https://portals.checkfedexexp.com"
+		$url7 = "https://otcworldmedia.com"
+		$url8 = "http://tiny.cc/"
+		$url9 = "http://128.199.7.40/"
+		$invoc = "%%Invocation:" nocase ascii
+		$op0 = "-sOutputFile=" nocase ascii
+		$op1 = "-dNumRenderingThreads=" nocase ascii
+		$op2 = "-sDEVICE=" nocase ascii
+		$op3 = "-dAutoRotatePages=" nocase ascii
+		$script0 = "<script" nocase ascii
+		$script1 = "</script>" nocase ascii
+		$tag0 = "<event" nocase ascii
+		$tag1 = "</event>" nocase ascii
+		$event0 = "event.target.exportXFAData" nocase ascii
+		$event1 = "activity=" nocase ascii
+ 	condition:
+		($magic at 0 and (8 of them)) or
+		($magic at 0 and ($action0 or $action1 or $action2) and ($cmd or $ps) or ($pscom0 or $pscom1) and ($start0 or $start1) and $launch and $homepath and $js0) or
+		($magic at 0 and ($action2 or $action3) and (1 of ($emb*))) or
+		($magic at 0 and ( 1 of($url*))) or
+		($magic at 0 and $action4 and ($js1 or $js2)) or
+		($magic at 0 and $invoc and (2 of ($op*))) or
+		($magic at 0 and $uri) or
+		($magic at 0 and (2 of ($script*)) and ((2 of($event*)) and (2 of ($tag*))))
+}
+rule IconMismatch_PE_PDF {
+    meta:
+        description = "Icon mismatch: PE executable with PDF icons"
+        author = "albertzsigovits"
+    condition:
+        uint16(0) == 0x5A4D
+        and uint32(uint32(0x3C)) == 0x00004550
+        and (
+               hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "0da488a59ce7c34b5362e2c3e900ebaa48c2fa182c183166d290c0c6f10f97c1" // PDF red icon #1
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "42cb714195c0255523313f41629c9d6a123d93f9789f8a8764e52cad405ea199" // PDF red icon #2
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "56cc2dea455f34271b031b51ff2b439a8a8083f4848b5308d4b42c827ba22c1f" // PDF red icon #3
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "683370eb202be9c57e6fe038e4a234c7a4e1f353dfbfe64d8f33397a5a0f0e81" // PDF red icon #4
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "68f1550f74d5cf2a52f1cf3780037facf60a6254e133fcc503a12e1ea5106184" // PDF red icon #5
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "9f12f3b8937665385f43f28caab2ded4469cefbec166d83e57d70e5a7b380067" // PDF red icon #6
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "a27b7e5c64c784418daa27bebb7ffcedbc919649d1a5b6446cd8c02516ba6da6" // PDF red icon #7
+            or hash.sha256(pe.resources[0].offset, pe.resources[0].length) == "f7e6bb934282eae0225f37b2d05e81c7bfa95acbf11d1eb9c9662ed3accf5708" // PDF red icon #8
+        )
+}
+rule PDF_Exploit_Enhanced {
+    meta:
+        description = "Detects common PDF exploits and embedded malware test files"
+    strings:
+        $aa = "/OpenAction"
+        $acroform = "/AcroForm"
+        $embedded_file = "/EmbeddedFile"
+        $js = "/JS"
+        $javascript = "/JavaScript"
+        $launch = "/Launch"
+        $eicar_pdf = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" nocase
+    condition:
+        (any of ($js, $javascript, $aa, $acroform, $embedded_file, $launch) or $eicar_pdf)
+}
+rule SPICA__Strings {
+    meta:
+        author = "Google TAG"
+        date = "2024-01-15"
+        description = "Rust backdoor using websockets for c2 and embedded decoy PDF"
+        hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9"
+    strings:
+        $s1 = "os_win.c:%d: (%lu) %s(%s) - %s"
+        $s2 = "winWrite1"
+        $s3 = "winWrite2"
+        $s4 = "DNS resolution panicked"
+        $s5 = "struct Dox"
+        $s6 = "struct Telegram"
+        $s8 = "struct Download"
+        $s9 = "spica"
+        $s10 = "Failed to open the subkey after setting the value."
+        $s11 = "Card Holder: Bull Gayts"
+        $s12 = "Card Number: 7/ 3310 0195 4865"
+        $s13 = "CVV: 592"
+        $s14 = "Card Expired: 03/28"
+        $a0 = "agent\\src\\archive.rs"
+        $a1 = "agent\\src\\main.rs"
+        $a2 = "agent\\src\\utils.rs"
+        $a3 = "agent\\src\\command\\dox.rs"
+        $a4 = "agent\\src\\command\\shell.rs"
+        $a5 = "agent\\src\\command\\telegram.rs"
+        $a6 = "agent\\src\\command\\mod.rs"
+        $a7 = "agent\\src\\command\\mod.rs"
+        $a8 = "agent\\src\\command\\cookie\\mod.rs"
+        $a9 = "agent\\src\\command\\cookie\\browser\\mod.rs"
+        $a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs"
+    condition:
+        7 of ($s*) or 5 of ($a*)
+}
+rule G_Backdoor_TOUGHPROGRESS_LNK_1 {
+	meta:
+		author = "GTIG"
+		date_created = "2025-04-29"
+		date_modified = "2025-04-29"
+		md5 = "65da1a9026cf171a5a7779bc5ee45fb1"
+		rev = 1
+	strings:
+		$marker = { 4C 00 00 00 }
+		$str1 = "rundll32.exe" ascii wide
+		$str2 = ".\\image\\7.jpg,plus" wide
+		$str3 = "%PDF-1"
+		$str4 = "PYL="
+	condition:
+		$marker at 0 and all of them
+}
+rule LNK_Dropper_Russian_APT_Feb2024 {
+    meta:
+        Description = "Detects LNK dropper samples used by a Russian APT during a past campaign"
+        Author = "RustyNoob619"
+        Reference = "https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition"
+        Hash = "114935488cc5f5d1664dbc4c305d97a7d356b0f6d823e282978792045f1c7ddb"
+        SampleTesting = "Matches all five LNK Dropper Samples from the Blog"
+    strings:
+        $lnk = { 4C 00 00 00 01 14 02 00 }
+        $pwrsh1 = "powershell.exe"
+        $pwrsh2 = "WindowsPowerShell"
+        $pwrsh3 = "powershell"
+        $cmd = "cmd.exe"
+        $ext1 = ".pdf.lnk"
+        $ext2 = ".pdfx.lnk"
+        $ext3 = "pdf.lnk" base64
+        $scrpt1 = "Select-String -pattern \"JEVycm9yQWN0aW9uUH\" "
+        $scrpt2 = "findstr /R 'JVBERi0xLjcNJeLjz9'" base64
+        $blob1 = "$ErrorActionPreference = \"Continue\"" base64
+        $blob2 = "$ProgressPreference = \"SilentlyContinue\"" base64
+        $blob3 = "New-Alias -name pwn -Value iex -Force" base64
+        $blob4 = "if ($pwd.path.toLower() -ne \"c:\\windows\\system32\")" base64
+        $blob5 = "Copy-Item $env:tmp\\Temp.jpg $env:userprofile\\Temp.jpg" base64
+        $blob6 = "attrib +h $env:userprofile\\Temp.jpg" base64
+        $blob7 = "Start-Process $env:tmp\\Important.pdf" base64
+        $net1 = "$userAgent = \"Mozilla/6.4 (Windows NT 11.1) Gecko/2010102 Firefox/99.0\"" base64
+        $net2 = "$redirectors = \"6" base64
+        $net3 = "$sleeps = 5" base64
+        $http1 = "$request.Headers[\"X-Request-ID\"] = $request_token" base64
+        $http2 = "$request.ContentType = \"application/x-www-form-urlencoded\"" base64
+        $http3 = "$response1 = $(Send-HttpRequest \"$server/api/v1/Client/Info\" \"POST\" \"Info: $getenv64\")" base64
+        $http4 = "$response = $($token = Send-HttpRequest \"$server/api/v1/Client/Token\" \"GET\")" base64
+        $server1 = "$server = \"api-gate.xyz\"" base64
+        $server2 = "$server = \"pdf-online.top\"" base64
+        $unknown = "$server = " base64
+    condition:
+        $lnk at 0                       //LNK File Header
+        and (any of ($pwrsh*) or $cmd) //searches for CMD or PowerShell execution
+        and any of ($ext*)            //Fake Double Extension mimicing a PDF
+        and any of ($scrpt*)         //Searches for a unique string to locate execution code
+        and 5 of ($blob*)           //Base64 encoded execution blob
+        and 2 of ($net*)
+        and 3 of ($http*)
+        and (any of ($server*) or $unknown) // C2 dommain config (Optional, can be removed)
+}
+private rule PDF_Structure
+{
+    meta:
+        description = "Detects valid, readable PDF files"
+        reference_files = "minimal.pdf (4a6f4ff8596321eea6fa482e7adbed01)"
+        author = "ThreatFlux"
+        date = "2024-12-31"
+        version = "1.1"
+        file_type = "PDF"
+    strings:
+        $header = "%PDF-"
+        $eof_marker = "%%EOF"
+        $startxref = "startxref"
+        $xref = "xref"
+        $trailer = "trailer"
+    condition:
+        // Header validation
+        $header at 0 and
+        uint8(5) >= 0x31 and          // Major version >= 1
+        uint8(5) <= 0x37 and          // Major version <= 7
+        uint8(7) == 0x2E and          // Decimal point
+        uint8(8) >= 0x30 and          // Minor version >= 0
+        uint8(8) <= 0x37 and          // Minor version <= 7
+        // Basic structure requirements
+        filesize > 32 and             // Minimum size for valid PDF
+        $eof_marker in (filesize-10..filesize) and  // EOF marker near end
+        // Required PDF elements
+        $xref and                     // Must have cross-reference table
+        $trailer and                  // Must have trailer
+        $startxref and                // Must have startxref pointer
+        // Basic binary check
+        uint8(1) == 0x50 and         // 'P'
+        uint8(2) == 0x44 and         // 'D'
+        uint8(3) == 0x46             // 'F'
+}
+rule DETECT_CommandShell_PDF_Execution
+{
+    meta:
+        description = "Detects Windows Command Shell execution artifacts in PDF files"
+        author = "ThreatFlux"
+        date = "2024-01-03"
+        version = "2.1"
+        // Classification
+        threat_level = "Medium"
+        category = "SUSPICIOUS_BEHAVIOR"
+        malware_type = "PDF.CommandExecution"
+        tlp = "WHITE"
+        // MITRE ATT&CK Mapping
+        mitre_attack = "T1059.003" // Windows Command Shell
+        mitre_techniques = "T1204.002" // User Execution: Malicious File
+        mitre_tactics = "Execution"
+        // Detection Details
+        detection_name = "PDF.Suspicious.CommandExecution"
+        detection_rate = "Medium-High"
+        false_positive_rate = "Medium"
+        bypass_attempts = "String obfuscation, encoding variations"
+        // File Characteristics
+        file_type = "PDF"
+        min_size = "1KB"
+        max_size = "10MB"
+        // References
+        ref1 = "https://attack.mitre.org/techniques/T1059/003/"
+        ref2 = "https://attack.mitre.org/techniques/T1204/002/"
+        // Sample Metadata
+        sample_hash1 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+    strings:
+        // Command Shell Artifacts
+        $cmd1 = "cmd.exe" nocase ascii
+        $cmd2 = "cmd /c" nocase ascii
+        $cmd3 = "cmd /k" nocase ascii
+        $cmd4 = "%comspec%" nocase ascii
+        // Suspicious PDF Elements
+        $suspc1 = "/JavaScript" ascii
+        $suspc2 = "/OpenAction" ascii
+        $suspc3 = "/Launch" ascii
+    condition:
+        PDF_Structure and
+        (
+            // Command Shell Reference
+            any of ($cmd*) and
+            // Supporting Suspicious Elements
+            any of ($suspc*)
+        )
+}
+rule apt_MuddyWater_malicious_pdf {
+    meta:
+        id = "77983aea-47cb-4436-b773-faf7be430339"
+        version = "1.0"
+        intrusion_set = "MuddyWater"
+        description = "Detects malicious PDF used by MuddyWater"
+        source = "Sekoia.io"
+        creation_date = "2024-06-10"
+        classification = "TLP:WHITE"
+    strings:
+        $ = "egnyte.com/fl/"
+        $ = "/Type/Pages/Count 1"
+    condition:
+        uint32be(0) == 0x25504446 and
+        filesize < 300KB and
+        all of them
+}
+rule Bad_PDF {
+    meta:
+        description = "Detection patterns for the tool 'Bad-PDF' taken from the ThreatHunting-Keywords github project"
+        author = "@mthcht"
+        reference = "https://github.com/mthcht/ThreatHunting-Keywords"
+        tool = "Bad-PDF"
+        rule_category = "offensive_tool_keyword"
+    strings:
+        // Description: Bad-PDF create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines. it utilize vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.
+        // Reference: https://github.com/deepzec/Bad-Pdf
+        $string1 = "Bad-Pdf" nocase ascii wide
+    condition:
+        any of them
+}
+rule DetectMaliciousScriptInPDF {
+    meta:
+        description = "Detects a PDF containing the text 'malicious_script'"
+        author = "Kasthuri"
+        date = "2024-09-28"
+    strings:
+        $eval = "eval("
+        $js_function = "function("
+        $malicious_js = "document.write(unescape("
+    condition:
+        $js_function or $eval or $malicious_js
+}
+rule DetectMaliciousURLs {
+    meta:
+        description = "Detects potentially malicious URLs in a PDF"
+        author = "Kasthuri"
+        date = "2024-09-28"
+    strings:
+        $phishing_url = /example\.com.*example\.com|example\.com.*secure|paypal\.com.*login/
+        $url_shortener = /bit\.ly|tinyurl\.com|goo\.gl/
+        $suspicious_extension = /\.exe|\.php\.exe|\.js\.exe/
+        $redirect_chain = /redirect\?url=/
+        $suspicious_path = /admin|config|login|wp-admin/
+        // $obfuscated_url = /%[0-9A-Fa-f]{2}/
+        // $base64_encoded_url = /[a-zA-Z0-9+\/=]{20,}/
+    condition:
+           $phishing_url
+        or $url_shortener
+        or $suspicious_extension
+        or $redirect_chain
+        or $suspicious_path
+        // or $obfuscated_url
+        // or $base64_encoded_url
+}
+rule MAL_DarkCloud_Phishing_PDF_IOC {
+    meta:
+        description = "Detects a specific malicious PDF file used in DarkCloud Stealer phishing campaigns based on its SHA256 hash."
+        date = "2025-07-24"
+        version = 1
+        reference = "https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/"
+        hash = "bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc"
+        tags = "CRIME, INFOSTEALER, DARKCLOUD, FILE"
+        mitre_attack = "T1566.001"
+        malware_family = "DarkCloud"
+        malware_type = "Infostealer"
+    condition:
+        // Match the specific SHA256 hash of the malicious PDF file.
+        hash.sha256(0, filesize) == "bf3b43f5e4398ac810f005200519e096349b2237587d920d3c9b83525bb6bafc"
+}
+rule PDF_Javascript_Exploit {
+    meta:
+        description = "Detect potentially malicious PDF with JavaScript"
+        author = "Cyberion Security"
+        date = "2025-01-01"
+        severity = "medium"
+        category = "pdf"
+    strings:
+        $pdf = "%PDF"
+        $js1 = "/JavaScript" nocase
+        $js2 = "/JS" nocase
+        $js3 = "eval(" nocase
+        $js4 = "unescape(" nocase
+    condition:
+        $pdf at 0 and (1 of ($js*))
+}

pdfalyzer 1.16.6__py3-none-any.whl → 1.16.7__py3-none-any.whl

Potentially problematic release.

pdfalyzer 1.16.6py3-none-any.whl → 1.16.7py3-none-any.whl