pdfalyzer 1.16.6__py3-none-any.whl → 1.16.7__py3-none-any.whl

pdfalyzer/yara_rules/PDF_binary_stream.yara

@@ -1,6 +1,5 @@
 
-rule PDF_with_XORed_JS_keywords
-{
+rule PDF_with_XORed_JS_keywords {
     meta:
         author             = "Michel de Cryptadamus"
         description        = "Look for Javascript keywords with XOR"
@@ -16,7 +15,6 @@ rule PDF_with_XORed_JS_keywords
 }
 
 
-
 // rule Frontslash_regex
 // {
 //     meta:

pdfalyzer/yara_rules/didier_stevens.yara

@@ -0,0 +1,248 @@
+rule Contains_VBE_File {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+        description = "Detect a VBE file inside a byte sequence"
+        method = "Find string starting with #@~^ and ending with ^#~@"
+    strings:
+        $vbe = /#@~\^.+\^#~@/
+    condition:
+        $vbe
+}
+
+
+rule JPEG_EXIF_Contains_eval {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+        description = "Detect eval function inside JPG EXIF header (http://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html)"
+        method = "Detect JPEG file and EXIF header ($a) and eval function ($b) inside EXIF data"
+    strings:
+        $a = {FF E1 ?? ?? 45 78 69 66 00}
+        $b = /\beval\s*\(/
+    condition:
+        uint16be(0x00) == 0xFFD8 and $a and $b in (@a + 0x12 .. @a + 0x02 + uint16be(@a + 0x02) - 0x06)
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    API Hashing:10:AC84C07407C1CF0D01C7EBF481FF
+    API Hashing bis:10:AC84C07407C1CF0701C7EBF481FF
+*/
+rule maldoc_API_hashing {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
+        $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
+    condition:
+        any of them
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Function prolog signature:10:558BEC83C4
+    Function prolog signature:10:558BEC81EC
+    Function prolog signature:10:558BECEB
+    Function prolog signature:10:558BECE8
+    Function prolog signature:10:558BECE9
+*/
+rule maldoc_function_prolog_signature {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {55 8B EC 81 EC}
+        $a2 = {55 8B EC 83 C4}
+        $a3 = {55 8B EC E8}
+        $a4 = {55 8B EC E9}
+        $a5 = {55 8B EC EB}
+    condition:
+        any of them
+}
+
+/*
+XORSearch wildcard rule(s):
+    Structured exception handling :10:648B(B;00???101)00000000
+    Structured exception handling bis:10:64A100000000
+*/
+rule maldoc_structured_exception_handling {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
+        $a2 = {64 A1 00 00 00 00}
+    condition:
+        any of them
+}
+
+/*
+XORSearch wildcard rule(s):
+    Indirect function call:10:FF75(B;A???????)FF55(B;A???????)
+*/
+rule maldoc_indirect_function_call_1 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF 75 ?? FF 55 ??}
+    condition:
+        for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
+}
+
+/*
+XORSearch wildcard rule(s):
+    Indirect function call bis:10:FFB5(B;A???????)(B;B???????)(B;C???????)(B;D???????)FF95(B;A???????)(B;B???????)(B;C???????)(B;D???????)
+*/
+rule maldoc_indirect_function_call_2 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
+    condition:
+        for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Find kernel32 base method 2:10:31(B;11A??A??)(B;10100A??)30648B(B;00B??A??)
+*/
+rule maldoc_find_kernel32_base_method_2 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {31 ?? ?? 30 64 8B ??}
+    condition:
+        for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Find kernel32 base method 3:10:6830000000(B;01011A??)648B(B;00B??A??)
+*/
+rule maldoc_find_kernel32_base_method_3 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
+    condition:
+        for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    GetEIP method 4 FLDZ/FSTENV [esp-12]:10:D9EED97424F4(B;01011???)
+    GetEIP method 4:10:D9EE9BD97424F4(B;01011???)
+*/
+rule maldoc_getEIP_method_4 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
+        $a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
+    condition:
+        any of them
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Indirect function call tris:10:FFB7(B;????????)(B;????????)(B;????????)(B;????????)FF57(B;????????)
+*/
+rule maldoc_indirect_function_call_3 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {FF B7 ?? ?? ?? ?? FF 57 ??}
+    condition:
+        $a
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Find kernel32 base method 1:10:648B(B;00???101)30000000
+    Find kernel32 base method 1bis:10:64A130000000
+*/
+rule maldoc_find_kernel32_base_method_1 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
+        $a2 = {64 A1 30 00 00 00}
+    condition:
+        any of them
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    GetEIP method 1:10:E800000000(B;01011???)
+*/
+rule maldoc_getEIP_method_1 {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
+    condition:
+        $a
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    OLE file magic number:10:D0CF11E0
+*/
+rule maldoc_OLE_file_magic_number {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {D0 CF 11 E0}
+    condition:
+        $a
+}
+
+
+/*
+XORSearch wildcard rule(s):
+    Suspicious strings:2:str=UrlDownloadToFile
+    Suspicious strings:2:str=GetTempPath
+    Suspicious strings:2:str=GetWindowsDirectory
+    Suspicious strings:2:str=GetSystemDirectory
+    Suspicious strings:2:str=WinExec
+    Suspicious strings:2:str=ShellExecute
+    Suspicious strings:2:str=IsBadReadPtr
+    Suspicious strings:2:str=IsBadWritePtr
+    Suspicious strings:2:str=CreateFile
+    Suspicious strings:2:str=CloseHandle
+    Suspicious strings:2:str=ReadFile
+    Suspicious strings:2:str=WriteFile
+    Suspicious strings:2:str=SetFilePointer
+    Suspicious strings:2:str=VirtualAlloc
+    Suspicious strings:2:str=GetProcAddr
+    Suspicious strings:2:str=LoadLibrary
+*/
+rule maldoc_suspicious_strings {
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a01 = "CloseHandle"
+        $a02 = "CreateFile"
+        $a03 = "GetProcAddr"
+        $a04 = "GetSystemDirectory"
+        $a05 = "GetTempPath"
+        $a06 = "GetWindowsDirectory"
+        $a07 = "IsBadReadPtr"
+        $a08 = "IsBadWritePtr"
+        $a09 = "LoadLibrary"
+        $a10 = "ReadFile"
+        $a11 = "SetFilePointer"
+        $a12 = "ShellExecute"
+        $a13 = "UrlDownloadToFile"
+        $a14 = "VirtualAlloc"
+        $a15 = "WinExec"
+        $a16 = "WriteFile"
+    condition:
+        any of them
+}