pdfalyzer 1.16.7__py3-none-any.whl → 1.16.8__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of pdfalyzer might be problematic. Click here for more details.
- CHANGELOG.md +5 -0
- pdfalyzer/yara_rules/PDF.yara +475 -422
- pdfalyzer/yara_rules/PDF_binary_stream.yara +5 -5
- pdfalyzer/yara_rules/pdf_malware.yara +1884 -1808
- {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.8.dist-info}/METADATA +4 -6
- {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.8.dist-info}/RECORD +9 -9
- {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.8.dist-info}/LICENSE +0 -0
- {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.8.dist-info}/WHEEL +0 -0
- {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.8.dist-info}/entry_points.txt +0 -0
|
@@ -508,2240 +508,2254 @@ rule Malicious_PDF_Registry_Access {
|
|
|
508
508
|
|
|
509
509
|
/* https://github.com/tylabs/quicksand PDF Exploit detection signatures */
|
|
510
510
|
rule shellcode_hash__CloseHandle {
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
|
|
523
|
-
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
527
|
-
|
|
511
|
+
meta:
|
|
512
|
+
is_exploit = false
|
|
513
|
+
is_feature = false
|
|
514
|
+
is_warning = true
|
|
515
|
+
rank = 2
|
|
516
|
+
revision = "1"
|
|
517
|
+
date = "June 07 2020"
|
|
518
|
+
author = "@tylabs"
|
|
519
|
+
sigtype = "pdfexaminer_shellcode"
|
|
520
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
521
|
+
desc = "shellcode.hash CloseHandle"
|
|
522
|
+
mitre = "T1106"
|
|
523
|
+
strings:
|
|
524
|
+
$h_raw = "fb97fd0f" nocase
|
|
525
|
+
$h_hex = { fb97fd0f }
|
|
526
|
+
condition:
|
|
527
|
+
filesize < 1MB and any of them
|
|
528
528
|
}
|
|
529
529
|
|
|
530
530
|
|
|
531
531
|
rule shellcode_hash__CreateFileA {
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
|
|
546
|
-
|
|
547
|
-
|
|
548
|
-
|
|
532
|
+
meta:
|
|
533
|
+
is_exploit = false
|
|
534
|
+
is_feature = false
|
|
535
|
+
is_warning = true
|
|
536
|
+
rank = 2
|
|
537
|
+
revision = "1"
|
|
538
|
+
date = "June 07 2020"
|
|
539
|
+
author = "@tylabs"
|
|
540
|
+
sigtype = "pdfexaminer_shellcode"
|
|
541
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
542
|
+
desc = "shellcode.hash CreateFileA"
|
|
543
|
+
mitre = "T1106"
|
|
544
|
+
strings:
|
|
545
|
+
$h_raw = "a517007c" nocase
|
|
546
|
+
$h_hex = { a517007c }
|
|
547
|
+
condition:
|
|
548
|
+
filesize < 1MB and any of them
|
|
549
549
|
}
|
|
550
550
|
|
|
551
551
|
|
|
552
552
|
rule shellcode_hash__CreateProcessA {
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
563
|
-
|
|
564
|
-
|
|
565
|
-
|
|
566
|
-
|
|
567
|
-
|
|
568
|
-
|
|
569
|
-
|
|
553
|
+
meta:
|
|
554
|
+
is_exploit = false
|
|
555
|
+
is_feature = false
|
|
556
|
+
is_warning = true
|
|
557
|
+
rank = 2
|
|
558
|
+
revision = "1"
|
|
559
|
+
date = "June 07 2020"
|
|
560
|
+
author = "@tylabs"
|
|
561
|
+
sigtype = "pdfexaminer_shellcode"
|
|
562
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
563
|
+
desc = "shellcode.hash CreateProcessA"
|
|
564
|
+
mitre = "T1106"
|
|
565
|
+
strings:
|
|
566
|
+
$h_raw = "72feb316" nocase
|
|
567
|
+
$h_hex = { 72feb316 }
|
|
568
|
+
condition:
|
|
569
|
+
filesize < 1MB and any of them
|
|
570
570
|
}
|
|
571
571
|
|
|
572
572
|
|
|
573
573
|
rule shellcode_hash__DeleteFileA {
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
578
|
-
|
|
579
|
-
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
|
|
587
|
-
|
|
588
|
-
|
|
589
|
-
|
|
590
|
-
|
|
574
|
+
meta:
|
|
575
|
+
is_exploit = false
|
|
576
|
+
is_feature = false
|
|
577
|
+
is_warning = true
|
|
578
|
+
rank = 2
|
|
579
|
+
revision = "1"
|
|
580
|
+
date = "June 07 2020"
|
|
581
|
+
author = "@tylabs"
|
|
582
|
+
sigtype = "pdfexaminer_shellcode"
|
|
583
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
584
|
+
desc = "shellcode.hash DeleteFileA"
|
|
585
|
+
mitre = "T1106"
|
|
586
|
+
strings:
|
|
587
|
+
$h_raw = "25b0ffc2" nocase
|
|
588
|
+
$h_hex = { 25b0ffc2 }
|
|
589
|
+
condition:
|
|
590
|
+
filesize < 1MB and any of them
|
|
591
591
|
}
|
|
592
592
|
|
|
593
593
|
|
|
594
594
|
rule shellcode_hash__ExitProcess {
|
|
595
|
-
|
|
596
|
-
|
|
597
|
-
|
|
598
|
-
|
|
599
|
-
|
|
600
|
-
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
|
|
607
|
-
|
|
608
|
-
|
|
609
|
-
|
|
610
|
-
|
|
611
|
-
|
|
595
|
+
meta:
|
|
596
|
+
is_exploit = false
|
|
597
|
+
is_feature = false
|
|
598
|
+
is_warning = true
|
|
599
|
+
rank = 2
|
|
600
|
+
revision = "1"
|
|
601
|
+
date = "June 07 2020"
|
|
602
|
+
author = "@tylabs"
|
|
603
|
+
sigtype = "pdfexaminer_shellcode"
|
|
604
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
605
|
+
desc = "shellcode.hash ExitProcess"
|
|
606
|
+
mitre = "T1106"
|
|
607
|
+
strings:
|
|
608
|
+
$h_raw = "7ed8e273" nocase
|
|
609
|
+
$h_hex = { 7ed8e273 }
|
|
610
|
+
condition:
|
|
611
|
+
filesize < 1MB and any of them
|
|
612
612
|
}
|
|
613
613
|
|
|
614
614
|
|
|
615
615
|
rule shellcode_hash__ExitThread {
|
|
616
|
-
|
|
617
|
-
|
|
618
|
-
|
|
619
|
-
|
|
620
|
-
|
|
621
|
-
|
|
622
|
-
|
|
623
|
-
|
|
624
|
-
|
|
625
|
-
|
|
626
|
-
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
616
|
+
meta:
|
|
617
|
+
is_exploit = false
|
|
618
|
+
is_feature = false
|
|
619
|
+
is_warning = true
|
|
620
|
+
rank = 2
|
|
621
|
+
revision = "1"
|
|
622
|
+
date = "June 07 2020"
|
|
623
|
+
author = "@tylabs"
|
|
624
|
+
sigtype = "pdfexaminer_shellcode"
|
|
625
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
626
|
+
desc = "shellcode.hash ExitThread"
|
|
627
|
+
mitre = "T1106"
|
|
628
|
+
strings:
|
|
629
|
+
$h_raw = "efcee060" nocase
|
|
630
|
+
$h_hex = { efcee060 }
|
|
631
|
+
condition:
|
|
632
|
+
filesize < 1MB and any of them
|
|
633
633
|
}
|
|
634
634
|
|
|
635
635
|
|
|
636
636
|
rule shellcode_hash__GetProcAddress {
|
|
637
|
-
|
|
638
|
-
|
|
639
|
-
|
|
640
|
-
|
|
641
|
-
|
|
642
|
-
|
|
643
|
-
|
|
644
|
-
|
|
645
|
-
|
|
646
|
-
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
650
|
-
|
|
651
|
-
|
|
652
|
-
|
|
653
|
-
|
|
637
|
+
meta:
|
|
638
|
+
is_exploit = false
|
|
639
|
+
is_feature = false
|
|
640
|
+
is_warning = true
|
|
641
|
+
rank = 2
|
|
642
|
+
revision = "1"
|
|
643
|
+
date = "June 07 2020"
|
|
644
|
+
author = "@tylabs"
|
|
645
|
+
sigtype = "pdfexaminer_shellcode"
|
|
646
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
647
|
+
desc = "shellcode.hash GetProcAddress"
|
|
648
|
+
mitre = "T1129"
|
|
649
|
+
strings:
|
|
650
|
+
$h_raw = "aafc0d7c" nocase
|
|
651
|
+
$h_hex = { aafc0d7c }
|
|
652
|
+
condition:
|
|
653
|
+
filesize < 1MB and any of them
|
|
654
654
|
}
|
|
655
655
|
|
|
656
656
|
|
|
657
657
|
rule shellcode_hash__GetSystemDirectoryA {
|
|
658
|
-
|
|
659
|
-
|
|
660
|
-
|
|
661
|
-
|
|
662
|
-
|
|
663
|
-
|
|
664
|
-
|
|
665
|
-
|
|
666
|
-
|
|
667
|
-
|
|
668
|
-
|
|
669
|
-
|
|
670
|
-
|
|
671
|
-
|
|
672
|
-
|
|
673
|
-
|
|
674
|
-
|
|
658
|
+
meta:
|
|
659
|
+
is_exploit = false
|
|
660
|
+
is_feature = false
|
|
661
|
+
is_warning = true
|
|
662
|
+
rank = 2
|
|
663
|
+
revision = "1"
|
|
664
|
+
date = "June 07 2020"
|
|
665
|
+
author = "@tylabs"
|
|
666
|
+
sigtype = "pdfexaminer_shellcode"
|
|
667
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
668
|
+
desc = "shellcode.hash GetSystemDirectoryA"
|
|
669
|
+
mitre = "T1106"
|
|
670
|
+
strings:
|
|
671
|
+
$h_raw = "c179e5b8" nocase
|
|
672
|
+
$h_hex = { c179e5b8 }
|
|
673
|
+
condition:
|
|
674
|
+
filesize < 1MB and any of them
|
|
675
675
|
}
|
|
676
676
|
|
|
677
677
|
|
|
678
678
|
rule shellcode_hash___hwrite {
|
|
679
|
-
|
|
680
|
-
|
|
681
|
-
|
|
682
|
-
|
|
683
|
-
|
|
684
|
-
|
|
685
|
-
|
|
686
|
-
|
|
687
|
-
|
|
688
|
-
|
|
689
|
-
|
|
690
|
-
|
|
691
|
-
|
|
692
|
-
|
|
693
|
-
|
|
694
|
-
|
|
695
|
-
|
|
679
|
+
meta:
|
|
680
|
+
is_exploit = false
|
|
681
|
+
is_feature = false
|
|
682
|
+
is_warning = true
|
|
683
|
+
rank = 2
|
|
684
|
+
revision = "1"
|
|
685
|
+
date = "June 07 2020"
|
|
686
|
+
author = "@tylabs"
|
|
687
|
+
sigtype = "pdfexaminer_shellcode"
|
|
688
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
689
|
+
desc = "shellcode.hash _hwrite"
|
|
690
|
+
mitre = "T1106"
|
|
691
|
+
strings:
|
|
692
|
+
$h_raw = "d98a23e9" nocase
|
|
693
|
+
$h_hex = { d98a23e9 }
|
|
694
|
+
condition:
|
|
695
|
+
filesize < 1MB and any of them
|
|
696
696
|
}
|
|
697
697
|
|
|
698
698
|
|
|
699
699
|
rule shellcode_hash___lclose {
|
|
700
|
-
|
|
701
|
-
|
|
702
|
-
|
|
703
|
-
|
|
704
|
-
|
|
705
|
-
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
709
|
-
|
|
710
|
-
|
|
711
|
-
|
|
712
|
-
|
|
713
|
-
|
|
714
|
-
|
|
715
|
-
|
|
716
|
-
|
|
700
|
+
meta:
|
|
701
|
+
is_exploit = false
|
|
702
|
+
is_feature = false
|
|
703
|
+
is_warning = true
|
|
704
|
+
rank = 2
|
|
705
|
+
revision = "1"
|
|
706
|
+
date = "June 07 2020"
|
|
707
|
+
author = "@tylabs"
|
|
708
|
+
sigtype = "pdfexaminer_shellcode"
|
|
709
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
710
|
+
desc = "shellcode.hash _lclose"
|
|
711
|
+
mitre = "T1106"
|
|
712
|
+
strings:
|
|
713
|
+
$h_raw = "5b4c1add" nocase
|
|
714
|
+
$h_hex = { 5b4c1add }
|
|
715
|
+
condition:
|
|
716
|
+
filesize < 1MB and any of them
|
|
717
717
|
}
|
|
718
718
|
|
|
719
719
|
|
|
720
720
|
rule shellcode_hash___lcreat {
|
|
721
|
-
|
|
722
|
-
|
|
723
|
-
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
727
|
-
|
|
728
|
-
|
|
729
|
-
|
|
730
|
-
|
|
731
|
-
|
|
732
|
-
|
|
733
|
-
|
|
734
|
-
|
|
735
|
-
|
|
736
|
-
|
|
737
|
-
|
|
721
|
+
meta:
|
|
722
|
+
is_exploit = false
|
|
723
|
+
is_feature = false
|
|
724
|
+
is_warning = true
|
|
725
|
+
rank = 2
|
|
726
|
+
revision = "1"
|
|
727
|
+
date = "June 07 2020"
|
|
728
|
+
author = "@tylabs"
|
|
729
|
+
sigtype = "pdfexaminer_shellcode"
|
|
730
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
731
|
+
desc = "shellcode.hash _lcreat"
|
|
732
|
+
mitre = "T1106"
|
|
733
|
+
strings:
|
|
734
|
+
$h_raw = "ea498ae8" nocase
|
|
735
|
+
$h_hex = { ea498ae8 }
|
|
736
|
+
condition:
|
|
737
|
+
filesize < 1MB and any of them
|
|
738
738
|
}
|
|
739
739
|
|
|
740
740
|
|
|
741
741
|
rule shellcode_hash__LoadLibraryA {
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
|
|
747
|
-
|
|
748
|
-
|
|
749
|
-
|
|
750
|
-
|
|
751
|
-
|
|
752
|
-
|
|
753
|
-
|
|
754
|
-
|
|
755
|
-
|
|
756
|
-
|
|
757
|
-
|
|
758
|
-
|
|
742
|
+
meta:
|
|
743
|
+
is_exploit = false
|
|
744
|
+
is_feature = false
|
|
745
|
+
is_warning = true
|
|
746
|
+
rank = 2
|
|
747
|
+
revision = "1"
|
|
748
|
+
date = "June 07 2020"
|
|
749
|
+
author = "@tylabs"
|
|
750
|
+
sigtype = "pdfexaminer_shellcode"
|
|
751
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
752
|
+
desc = "shellcode.hash LoadLibraryA"
|
|
753
|
+
mitre = "T1129"
|
|
754
|
+
strings:
|
|
755
|
+
$h_raw = "8e4e0eec" nocase
|
|
756
|
+
$h_hex = { 8e4e0eec }
|
|
757
|
+
condition:
|
|
758
|
+
filesize < 1MB and any of them
|
|
759
759
|
}
|
|
760
760
|
|
|
761
761
|
|
|
762
762
|
rule shellcode_hash___lwrite {
|
|
763
|
-
|
|
764
|
-
|
|
765
|
-
|
|
766
|
-
|
|
767
|
-
|
|
768
|
-
|
|
769
|
-
|
|
770
|
-
|
|
771
|
-
|
|
772
|
-
|
|
773
|
-
|
|
774
|
-
|
|
775
|
-
|
|
776
|
-
|
|
777
|
-
|
|
778
|
-
|
|
779
|
-
|
|
763
|
+
meta:
|
|
764
|
+
is_exploit = false
|
|
765
|
+
is_feature = false
|
|
766
|
+
is_warning = true
|
|
767
|
+
rank = 2
|
|
768
|
+
revision = "1"
|
|
769
|
+
date = "June 07 2020"
|
|
770
|
+
author = "@tylabs"
|
|
771
|
+
sigtype = "pdfexaminer_shellcode"
|
|
772
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
773
|
+
desc = "shellcode.hash _lwrite"
|
|
774
|
+
mitre = "T1106"
|
|
775
|
+
strings:
|
|
776
|
+
$h_raw = "db8a23e9" nocase
|
|
777
|
+
$h_hex = { db8a23e9 }
|
|
778
|
+
condition:
|
|
779
|
+
filesize < 1MB and any of them
|
|
780
780
|
}
|
|
781
781
|
|
|
782
782
|
|
|
783
783
|
rule shellcode_hash__SetUnhandledExceptionFilter {
|
|
784
|
-
|
|
785
|
-
|
|
786
|
-
|
|
787
|
-
|
|
788
|
-
|
|
789
|
-
|
|
790
|
-
|
|
791
|
-
|
|
792
|
-
|
|
793
|
-
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
|
|
797
|
-
|
|
798
|
-
|
|
799
|
-
|
|
800
|
-
|
|
784
|
+
meta:
|
|
785
|
+
is_exploit = false
|
|
786
|
+
is_feature = false
|
|
787
|
+
is_warning = true
|
|
788
|
+
rank = 2
|
|
789
|
+
revision = "1"
|
|
790
|
+
date = "June 07 2020"
|
|
791
|
+
author = "@tylabs"
|
|
792
|
+
sigtype = "pdfexaminer_shellcode"
|
|
793
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
794
|
+
desc = "shellcode.hash SetUnhandledExceptionFilter"
|
|
795
|
+
mitre = "T1106"
|
|
796
|
+
strings:
|
|
797
|
+
$h_raw = "f08a045f" nocase
|
|
798
|
+
$h_hex = { f08a045f }
|
|
799
|
+
condition:
|
|
800
|
+
filesize < 1MB and any of them
|
|
801
801
|
}
|
|
802
802
|
|
|
803
803
|
|
|
804
804
|
rule shellcode_hash__WaitForSingleObject {
|
|
805
|
-
|
|
806
|
-
|
|
807
|
-
|
|
808
|
-
|
|
809
|
-
|
|
810
|
-
|
|
811
|
-
|
|
812
|
-
|
|
813
|
-
|
|
814
|
-
|
|
815
|
-
|
|
816
|
-
|
|
817
|
-
|
|
818
|
-
|
|
819
|
-
|
|
820
|
-
|
|
821
|
-
|
|
805
|
+
meta:
|
|
806
|
+
is_exploit = false
|
|
807
|
+
is_feature = false
|
|
808
|
+
is_warning = true
|
|
809
|
+
rank = 2
|
|
810
|
+
revision = "1"
|
|
811
|
+
date = "June 07 2020"
|
|
812
|
+
author = "@tylabs"
|
|
813
|
+
sigtype = "pdfexaminer_shellcode"
|
|
814
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
815
|
+
desc = "shellcode.hash WaitForSingleObject"
|
|
816
|
+
mitre = "T1106"
|
|
817
|
+
strings:
|
|
818
|
+
$h_raw = "add905ce" nocase
|
|
819
|
+
$h_hex = { add905ce }
|
|
820
|
+
condition:
|
|
821
|
+
filesize < 1MB and any of them
|
|
822
822
|
}
|
|
823
823
|
|
|
824
824
|
|
|
825
825
|
rule shellcode_hash__WinExec {
|
|
826
|
-
|
|
827
|
-
|
|
828
|
-
|
|
829
|
-
|
|
830
|
-
|
|
831
|
-
|
|
832
|
-
|
|
833
|
-
|
|
834
|
-
|
|
835
|
-
|
|
836
|
-
|
|
837
|
-
|
|
838
|
-
|
|
839
|
-
|
|
840
|
-
|
|
841
|
-
|
|
842
|
-
|
|
826
|
+
meta:
|
|
827
|
+
is_exploit = false
|
|
828
|
+
is_feature = false
|
|
829
|
+
is_warning = true
|
|
830
|
+
rank = 2
|
|
831
|
+
revision = "1"
|
|
832
|
+
date = "June 07 2020"
|
|
833
|
+
author = "@tylabs"
|
|
834
|
+
sigtype = "pdfexaminer_shellcode"
|
|
835
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
836
|
+
desc = "shellcode.hash WinExec"
|
|
837
|
+
mitre = "T1059.003"
|
|
838
|
+
strings:
|
|
839
|
+
$h_raw = "98fe8a0e" nocase
|
|
840
|
+
$h_hex = { 98fe8a0e }
|
|
841
|
+
condition:
|
|
842
|
+
filesize < 1MB and any of them
|
|
843
843
|
}
|
|
844
844
|
|
|
845
845
|
|
|
846
846
|
rule shellcode_hash__WriteFile {
|
|
847
|
-
|
|
848
|
-
|
|
849
|
-
|
|
850
|
-
|
|
851
|
-
|
|
852
|
-
|
|
853
|
-
|
|
854
|
-
|
|
855
|
-
|
|
856
|
-
|
|
857
|
-
|
|
858
|
-
|
|
859
|
-
|
|
860
|
-
|
|
861
|
-
|
|
862
|
-
|
|
863
|
-
|
|
847
|
+
meta:
|
|
848
|
+
is_exploit = false
|
|
849
|
+
is_feature = false
|
|
850
|
+
is_warning = true
|
|
851
|
+
rank = 2
|
|
852
|
+
revision = "1"
|
|
853
|
+
date = "June 07 2020"
|
|
854
|
+
author = "@tylabs"
|
|
855
|
+
sigtype = "pdfexaminer_shellcode"
|
|
856
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
857
|
+
desc = "shellcode.hash WriteFile"
|
|
858
|
+
mitre = "T1059"
|
|
859
|
+
strings:
|
|
860
|
+
$h_raw = "1f790ae8" nocase
|
|
861
|
+
$h_hex = { 1f790ae8 }
|
|
862
|
+
condition:
|
|
863
|
+
filesize < 1MB and any of them
|
|
864
864
|
}
|
|
865
865
|
|
|
866
866
|
|
|
867
867
|
rule shellcode_hash__accept {
|
|
868
|
-
|
|
869
|
-
|
|
870
|
-
|
|
871
|
-
|
|
872
|
-
|
|
873
|
-
|
|
874
|
-
|
|
875
|
-
|
|
876
|
-
|
|
877
|
-
|
|
878
|
-
|
|
879
|
-
|
|
880
|
-
|
|
881
|
-
|
|
882
|
-
|
|
883
|
-
|
|
884
|
-
|
|
868
|
+
meta:
|
|
869
|
+
is_exploit = false
|
|
870
|
+
is_feature = false
|
|
871
|
+
is_warning = true
|
|
872
|
+
rank = 2
|
|
873
|
+
revision = "1"
|
|
874
|
+
date = "June 07 2020"
|
|
875
|
+
author = "@tylabs"
|
|
876
|
+
sigtype = "pdfexaminer_shellcode"
|
|
877
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
878
|
+
desc = "shellcode.hash accept"
|
|
879
|
+
mitre = "T1106"
|
|
880
|
+
strings:
|
|
881
|
+
$h_raw = "e5498649" nocase
|
|
882
|
+
$h_hex = { e5498649 }
|
|
883
|
+
condition:
|
|
884
|
+
filesize < 1MB and any of them
|
|
885
885
|
}
|
|
886
886
|
|
|
887
887
|
|
|
888
888
|
rule shellcode_hash__bind {
|
|
889
|
-
|
|
890
|
-
|
|
891
|
-
|
|
892
|
-
|
|
893
|
-
|
|
894
|
-
|
|
895
|
-
|
|
896
|
-
|
|
897
|
-
|
|
898
|
-
|
|
899
|
-
|
|
900
|
-
|
|
901
|
-
|
|
902
|
-
|
|
903
|
-
|
|
904
|
-
|
|
905
|
-
|
|
889
|
+
meta:
|
|
890
|
+
is_exploit = false
|
|
891
|
+
is_feature = false
|
|
892
|
+
is_warning = true
|
|
893
|
+
rank = 2
|
|
894
|
+
revision = "1"
|
|
895
|
+
date = "June 07 2020"
|
|
896
|
+
author = "@tylabs"
|
|
897
|
+
sigtype = "pdfexaminer_shellcode"
|
|
898
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
899
|
+
desc = "shellcode.hash bind"
|
|
900
|
+
mitre = "T1106"
|
|
901
|
+
strings:
|
|
902
|
+
$h_raw = "a41a70c7" nocase
|
|
903
|
+
$h_hex = { a41a70c7 }
|
|
904
|
+
condition:
|
|
905
|
+
filesize < 1MB and any of them
|
|
906
906
|
}
|
|
907
907
|
|
|
908
908
|
|
|
909
909
|
rule shellcode_hash__closesocket {
|
|
910
|
-
|
|
911
|
-
|
|
912
|
-
|
|
913
|
-
|
|
914
|
-
|
|
915
|
-
|
|
916
|
-
|
|
917
|
-
|
|
918
|
-
|
|
919
|
-
|
|
920
|
-
|
|
921
|
-
|
|
922
|
-
|
|
923
|
-
|
|
924
|
-
|
|
925
|
-
|
|
926
|
-
|
|
910
|
+
meta:
|
|
911
|
+
is_exploit = false
|
|
912
|
+
is_feature = false
|
|
913
|
+
is_warning = true
|
|
914
|
+
rank = 2
|
|
915
|
+
revision = "1"
|
|
916
|
+
date = "June 07 2020"
|
|
917
|
+
author = "@tylabs"
|
|
918
|
+
sigtype = "pdfexaminer_shellcode"
|
|
919
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
920
|
+
desc = "shellcode.hash closesocket"
|
|
921
|
+
mitre = "T1106"
|
|
922
|
+
strings:
|
|
923
|
+
$h_raw = "e779c679" nocase
|
|
924
|
+
$h_hex = { e779c679 }
|
|
925
|
+
condition:
|
|
926
|
+
filesize < 1MB and any of them
|
|
927
927
|
}
|
|
928
928
|
|
|
929
929
|
|
|
930
930
|
rule shellcode_hash__connect {
|
|
931
|
-
|
|
932
|
-
|
|
933
|
-
|
|
934
|
-
|
|
935
|
-
|
|
936
|
-
|
|
937
|
-
|
|
938
|
-
|
|
939
|
-
|
|
940
|
-
|
|
941
|
-
|
|
942
|
-
|
|
943
|
-
|
|
944
|
-
|
|
945
|
-
|
|
946
|
-
|
|
947
|
-
|
|
931
|
+
meta:
|
|
932
|
+
is_exploit = false
|
|
933
|
+
is_feature = false
|
|
934
|
+
is_warning = true
|
|
935
|
+
rank = 2
|
|
936
|
+
revision = "1"
|
|
937
|
+
date = "June 07 2020"
|
|
938
|
+
author = "@tylabs"
|
|
939
|
+
sigtype = "pdfexaminer_shellcode"
|
|
940
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
941
|
+
desc = "shellcode.hash connect"
|
|
942
|
+
mitre = "T1106"
|
|
943
|
+
strings:
|
|
944
|
+
$h_raw = "ecf9aa60" nocase
|
|
945
|
+
$h_hex = { ecf9aa60 }
|
|
946
|
+
condition:
|
|
947
|
+
filesize < 1MB and any of them
|
|
948
948
|
}
|
|
949
949
|
|
|
950
950
|
|
|
951
951
|
rule shellcode_hash__listen {
|
|
952
|
-
|
|
953
|
-
|
|
954
|
-
|
|
955
|
-
|
|
956
|
-
|
|
957
|
-
|
|
958
|
-
|
|
959
|
-
|
|
960
|
-
|
|
961
|
-
|
|
962
|
-
|
|
963
|
-
|
|
964
|
-
|
|
965
|
-
|
|
966
|
-
|
|
967
|
-
|
|
968
|
-
|
|
952
|
+
meta:
|
|
953
|
+
is_exploit = false
|
|
954
|
+
is_feature = false
|
|
955
|
+
is_warning = true
|
|
956
|
+
rank = 2
|
|
957
|
+
revision = "1"
|
|
958
|
+
date = "June 07 2020"
|
|
959
|
+
author = "@tylabs"
|
|
960
|
+
sigtype = "pdfexaminer_shellcode"
|
|
961
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
962
|
+
desc = "shellcode.hash listen"
|
|
963
|
+
mitre = "T1106"
|
|
964
|
+
strings:
|
|
965
|
+
$h_raw = "a4ad2ee9" nocase
|
|
966
|
+
$h_hex = { a4ad2ee9 }
|
|
967
|
+
condition:
|
|
968
|
+
filesize < 1MB and any of them
|
|
969
969
|
}
|
|
970
970
|
|
|
971
971
|
|
|
972
972
|
rule shellcode_hash__recv {
|
|
973
|
-
|
|
974
|
-
|
|
975
|
-
|
|
976
|
-
|
|
977
|
-
|
|
978
|
-
|
|
979
|
-
|
|
980
|
-
|
|
981
|
-
|
|
982
|
-
|
|
983
|
-
|
|
984
|
-
|
|
985
|
-
|
|
986
|
-
|
|
987
|
-
|
|
988
|
-
|
|
989
|
-
|
|
973
|
+
meta:
|
|
974
|
+
is_exploit = false
|
|
975
|
+
is_feature = false
|
|
976
|
+
is_warning = true
|
|
977
|
+
rank = 2
|
|
978
|
+
revision = "1"
|
|
979
|
+
date = "June 07 2020"
|
|
980
|
+
author = "@tylabs"
|
|
981
|
+
sigtype = "pdfexaminer_shellcode"
|
|
982
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
983
|
+
desc = "shellcode.hash recv"
|
|
984
|
+
mitre = "T1106"
|
|
985
|
+
strings:
|
|
986
|
+
$h_raw = "b61918e7" nocase
|
|
987
|
+
$h_hex = { b61918e7 }
|
|
988
|
+
condition:
|
|
989
|
+
filesize < 1MB and any of them
|
|
990
990
|
}
|
|
991
991
|
|
|
992
992
|
|
|
993
993
|
rule shellcode_hash__send {
|
|
994
|
-
|
|
995
|
-
|
|
996
|
-
|
|
997
|
-
|
|
998
|
-
|
|
999
|
-
|
|
1000
|
-
|
|
1001
|
-
|
|
1002
|
-
|
|
1003
|
-
|
|
1004
|
-
|
|
1005
|
-
|
|
1006
|
-
|
|
1007
|
-
|
|
1008
|
-
|
|
1009
|
-
|
|
1010
|
-
|
|
994
|
+
meta:
|
|
995
|
+
is_exploit = false
|
|
996
|
+
is_feature = false
|
|
997
|
+
is_warning = true
|
|
998
|
+
rank = 2
|
|
999
|
+
revision = "1"
|
|
1000
|
+
date = "June 07 2020"
|
|
1001
|
+
author = "@tylabs"
|
|
1002
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1003
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1004
|
+
desc = "shellcode.hash send"
|
|
1005
|
+
mitre = "T1106"
|
|
1006
|
+
strings:
|
|
1007
|
+
$h_raw = "a41970e9" nocase
|
|
1008
|
+
$h_hex = { a41970e9 }
|
|
1009
|
+
condition:
|
|
1010
|
+
filesize < 1MB and any of them
|
|
1011
1011
|
}
|
|
1012
1012
|
|
|
1013
1013
|
|
|
1014
1014
|
rule shellcode_hash__socket {
|
|
1015
|
-
|
|
1016
|
-
|
|
1017
|
-
|
|
1018
|
-
|
|
1019
|
-
|
|
1020
|
-
|
|
1021
|
-
|
|
1022
|
-
|
|
1023
|
-
|
|
1024
|
-
|
|
1025
|
-
|
|
1026
|
-
|
|
1027
|
-
|
|
1028
|
-
|
|
1029
|
-
|
|
1030
|
-
|
|
1031
|
-
|
|
1015
|
+
meta:
|
|
1016
|
+
is_exploit = false
|
|
1017
|
+
is_feature = false
|
|
1018
|
+
is_warning = true
|
|
1019
|
+
rank = 2
|
|
1020
|
+
revision = "1"
|
|
1021
|
+
date = "June 07 2020"
|
|
1022
|
+
author = "@tylabs"
|
|
1023
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1024
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1025
|
+
desc = "shellcode.hash socket"
|
|
1026
|
+
mitre = "T1106"
|
|
1027
|
+
strings:
|
|
1028
|
+
$h_raw = "6e0b2f49" nocase
|
|
1029
|
+
$h_hex = { 6e0b2f49 }
|
|
1030
|
+
condition:
|
|
1031
|
+
filesize < 1MB and any of them
|
|
1032
1032
|
}
|
|
1033
1033
|
|
|
1034
1034
|
|
|
1035
1035
|
rule shellcode_hash__WSASocketA {
|
|
1036
|
-
|
|
1037
|
-
|
|
1038
|
-
|
|
1039
|
-
|
|
1040
|
-
|
|
1041
|
-
|
|
1042
|
-
|
|
1043
|
-
|
|
1044
|
-
|
|
1045
|
-
|
|
1046
|
-
|
|
1047
|
-
|
|
1048
|
-
|
|
1049
|
-
|
|
1050
|
-
|
|
1051
|
-
|
|
1052
|
-
|
|
1036
|
+
meta:
|
|
1037
|
+
is_exploit = false
|
|
1038
|
+
is_feature = false
|
|
1039
|
+
is_warning = true
|
|
1040
|
+
rank = 2
|
|
1041
|
+
revision = "1"
|
|
1042
|
+
date = "June 07 2020"
|
|
1043
|
+
author = "@tylabs"
|
|
1044
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1045
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1046
|
+
desc = "shellcode.hash WSASocketA"
|
|
1047
|
+
mitre = "T1106"
|
|
1048
|
+
strings:
|
|
1049
|
+
$h_raw = "d909f5ad" nocase
|
|
1050
|
+
$h_hex = { d909f5ad }
|
|
1051
|
+
condition:
|
|
1052
|
+
filesize < 1MB and any of them
|
|
1053
1053
|
}
|
|
1054
1054
|
|
|
1055
1055
|
|
|
1056
1056
|
rule shellcode_hash__WSAStartup {
|
|
1057
|
-
|
|
1058
|
-
|
|
1059
|
-
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1065
|
-
|
|
1066
|
-
|
|
1067
|
-
|
|
1068
|
-
|
|
1069
|
-
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1057
|
+
meta:
|
|
1058
|
+
is_exploit = false
|
|
1059
|
+
is_feature = false
|
|
1060
|
+
is_warning = true
|
|
1061
|
+
rank = 2
|
|
1062
|
+
revision = "1"
|
|
1063
|
+
date = "June 07 2020"
|
|
1064
|
+
author = "@tylabs"
|
|
1065
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1066
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1067
|
+
desc = "shellcode.hash WSAStartup"
|
|
1068
|
+
mitre = "T1106"
|
|
1069
|
+
strings:
|
|
1070
|
+
$h_raw = "cbedfc3b" nocase
|
|
1071
|
+
$h_hex = { cbedfc3b }
|
|
1072
|
+
condition:
|
|
1073
|
+
filesize < 1MB and any of them
|
|
1074
1074
|
}
|
|
1075
1075
|
|
|
1076
1076
|
|
|
1077
1077
|
rule shellcode_hash__URLDownloadToFileA {
|
|
1078
|
-
|
|
1079
|
-
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1085
|
-
|
|
1086
|
-
|
|
1087
|
-
|
|
1088
|
-
|
|
1089
|
-
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
|
|
1078
|
+
meta:
|
|
1079
|
+
is_exploit = false
|
|
1080
|
+
is_feature = false
|
|
1081
|
+
is_warning = true
|
|
1082
|
+
rank = 2
|
|
1083
|
+
revision = "1"
|
|
1084
|
+
date = "June 07 2020"
|
|
1085
|
+
author = "@tylabs"
|
|
1086
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1087
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1088
|
+
desc = "shellcode.hash URLDownloadToFileA"
|
|
1089
|
+
mitre = "T1106"
|
|
1090
|
+
strings:
|
|
1091
|
+
$h_raw = "361a2f70" nocase
|
|
1092
|
+
$h_hex = { 361a2f70 }
|
|
1093
|
+
condition:
|
|
1094
|
+
filesize < 1MB and any of them
|
|
1095
1095
|
}
|
|
1096
1096
|
|
|
1097
1097
|
|
|
1098
1098
|
rule suspicious_shellcode_NOP_Sled {
|
|
1099
|
-
|
|
1100
|
-
|
|
1101
|
-
|
|
1102
|
-
|
|
1103
|
-
|
|
1104
|
-
|
|
1105
|
-
|
|
1106
|
-
|
|
1107
|
-
|
|
1108
|
-
|
|
1109
|
-
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1114
|
-
|
|
1115
|
-
|
|
1099
|
+
meta:
|
|
1100
|
+
is_exploit = false
|
|
1101
|
+
is_feature = false
|
|
1102
|
+
is_warning = true
|
|
1103
|
+
rank = 2
|
|
1104
|
+
revision = "1"
|
|
1105
|
+
date = "June 07 2020"
|
|
1106
|
+
author = "@tylabs"
|
|
1107
|
+
sigtype = "pdfexaminer_shellcode"
|
|
1108
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1109
|
+
desc = "suspicious.shellcode NOP Sled"
|
|
1110
|
+
mitre = "T1106"
|
|
1111
|
+
strings:
|
|
1112
|
+
$h_raw = "9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090" nocase
|
|
1113
|
+
$h_hex = { 9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090 }
|
|
1114
|
+
condition:
|
|
1115
|
+
filesize < 1MB and any of them
|
|
1116
1116
|
}
|
|
1117
1117
|
|
|
1118
1118
|
|
|
1119
1119
|
rule suspicious_obfuscation_using_unescape {
|
|
1120
|
-
|
|
1121
|
-
|
|
1122
|
-
|
|
1123
|
-
|
|
1124
|
-
|
|
1125
|
-
|
|
1126
|
-
|
|
1127
|
-
|
|
1128
|
-
|
|
1129
|
-
|
|
1130
|
-
|
|
1131
|
-
|
|
1132
|
-
|
|
1133
|
-
|
|
1134
|
-
|
|
1135
|
-
|
|
1136
|
-
|
|
1137
|
-
|
|
1138
|
-
|
|
1139
|
-
|
|
1140
|
-
|
|
1141
|
-
|
|
1120
|
+
meta:
|
|
1121
|
+
is_exploit = false
|
|
1122
|
+
is_feature = false
|
|
1123
|
+
is_warning = true
|
|
1124
|
+
rank = 1
|
|
1125
|
+
revision = "1"
|
|
1126
|
+
date = "June 07 2020"
|
|
1127
|
+
author = "@tylabs"
|
|
1128
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1129
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1130
|
+
desc = "suspicious.obfuscation using unescape"
|
|
1131
|
+
mitre = "T1027"
|
|
1132
|
+
strings:
|
|
1133
|
+
$h_reg1 = /une(.{0,6}?)sca(.{0,6}?)pe([^\)]{0,6}?)\(/
|
|
1134
|
+
$h_reg2 = /un(.{0,6}?)esc(.{0,6}?)ape([^\)]{0,6}?)\(/
|
|
1135
|
+
$h_reg3 = /unesc([\W]{0,6}?)ape/
|
|
1136
|
+
//$h_reg4 = /u([\W]{0,6}?)n([\W]{0,6}?)e([\W]{0,6}?)s([\W]{0,6}?)c([\W]{0,6}?)a([\W]{0,6}?)p([\W]{0,6}?)e/
|
|
1137
|
+
$h_reg5 = /unescape([^\)]{0,6}?)\(/
|
|
1138
|
+
$h_raw6 = "\"u\",\"s\",\"p\",\"c\",\"n\",\"e\",\"a\"," nocase
|
|
1139
|
+
$h_raw7 = "\"s\",\"n\",\"a\",\"e\",\"c\",\"u\",\"e\",\"p\"" nocase
|
|
1140
|
+
condition:
|
|
1141
|
+
any of them
|
|
1142
1142
|
}
|
|
1143
1143
|
|
|
1144
1144
|
/*
|
|
1145
1145
|
rule suspicious_obfuscation_using_charCodeAt {
|
|
1146
|
-
|
|
1147
|
-
|
|
1148
|
-
|
|
1149
|
-
|
|
1150
|
-
|
|
1151
|
-
|
|
1152
|
-
|
|
1153
|
-
|
|
1154
|
-
|
|
1155
|
-
|
|
1156
|
-
|
|
1157
|
-
|
|
1158
|
-
|
|
1159
|
-
|
|
1160
|
-
|
|
1161
|
-
|
|
1146
|
+
meta:
|
|
1147
|
+
is_exploit = false
|
|
1148
|
+
is_feature = false
|
|
1149
|
+
is_warning = true
|
|
1150
|
+
rank = 1
|
|
1151
|
+
revision = "1"
|
|
1152
|
+
date = "June 07 2020"
|
|
1153
|
+
author = "@tylabs"
|
|
1154
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1155
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1156
|
+
desc = "suspicious.obfuscation using charCodeAt"
|
|
1157
|
+
mitre = "T1027"
|
|
1158
|
+
strings:
|
|
1159
|
+
$h_reg1 = /c([\W]{0,4}?)h([\W]{0,4}?)a([\W]{0,4}?)r([\W]{0,4}?)C([\W]{0,3}?)o([\W]{0,3}?)d([\W]{0,3}?)e([\W]{0,3}?)A(.{0,3}?)t/
|
|
1160
|
+
condition:
|
|
1161
|
+
any of them
|
|
1162
1162
|
}*/
|
|
1163
1163
|
|
|
1164
1164
|
|
|
1165
1165
|
rule suspicious_string_nopblock {
|
|
1166
|
-
|
|
1167
|
-
|
|
1168
|
-
|
|
1169
|
-
|
|
1170
|
-
|
|
1171
|
-
|
|
1172
|
-
|
|
1173
|
-
|
|
1174
|
-
|
|
1175
|
-
|
|
1176
|
-
|
|
1177
|
-
|
|
1178
|
-
|
|
1179
|
-
|
|
1180
|
-
|
|
1166
|
+
meta:
|
|
1167
|
+
is_exploit = false
|
|
1168
|
+
is_feature = false
|
|
1169
|
+
is_warning = true
|
|
1170
|
+
rank = 1
|
|
1171
|
+
revision = "1"
|
|
1172
|
+
date = "June 07 2020"
|
|
1173
|
+
author = "@tylabs"
|
|
1174
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1175
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1176
|
+
desc = "suspicious.string nopblock"
|
|
1177
|
+
mitre = "T1027"
|
|
1178
|
+
strings:
|
|
1179
|
+
$h_raw1 = "nopblock" nocase
|
|
1180
|
+
condition:
|
|
1181
1181
|
filesize < 1MB and any of them
|
|
1182
1182
|
}
|
|
1183
1183
|
|
|
1184
1184
|
|
|
1185
1185
|
rule suspicious_obfuscation_using_eval {
|
|
1186
|
-
|
|
1187
|
-
|
|
1188
|
-
|
|
1189
|
-
|
|
1190
|
-
|
|
1191
|
-
|
|
1192
|
-
|
|
1193
|
-
|
|
1194
|
-
|
|
1195
|
-
|
|
1196
|
-
|
|
1197
|
-
|
|
1198
|
-
|
|
1199
|
-
|
|
1200
|
-
|
|
1201
|
-
|
|
1202
|
-
|
|
1203
|
-
|
|
1204
|
-
|
|
1205
|
-
|
|
1206
|
-
|
|
1186
|
+
meta:
|
|
1187
|
+
is_exploit = false
|
|
1188
|
+
is_feature = false
|
|
1189
|
+
is_warning = true
|
|
1190
|
+
rank = 1
|
|
1191
|
+
revision = "1"
|
|
1192
|
+
date = "June 07 2020"
|
|
1193
|
+
author = "@tylabs"
|
|
1194
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1195
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1196
|
+
desc = "suspicious.obfuscation using eval"
|
|
1197
|
+
mitre = "T1027"
|
|
1198
|
+
strings:
|
|
1199
|
+
$h_reg1 = /eval(\s{0,3}?)\(/
|
|
1200
|
+
$h_raw2 = "eval\\" nocase
|
|
1201
|
+
$h_raw3 = "eval," nocase
|
|
1202
|
+
$h_reg4 = /'e'(.{1,30}?)'va'(.{1,3}?)'l/
|
|
1203
|
+
$h_raw5 = "\"l\",\"v\",\"e\",\"a\"" nocase
|
|
1204
|
+
$h_raw6 = "\"e\",\"l\",\"a\",\"v\"" nocase
|
|
1205
|
+
$h_reg7 = /=(\s{0,6}?)eval/
|
|
1206
|
+
condition:
|
|
1207
1207
|
any of them
|
|
1208
1208
|
}
|
|
1209
1209
|
|
|
1210
1210
|
|
|
1211
1211
|
rule suspicious_javascript_object {
|
|
1212
|
-
|
|
1213
|
-
|
|
1214
|
-
|
|
1215
|
-
|
|
1216
|
-
|
|
1217
|
-
|
|
1218
|
-
|
|
1219
|
-
|
|
1220
|
-
|
|
1221
|
-
|
|
1222
|
-
|
|
1223
|
-
|
|
1224
|
-
|
|
1225
|
-
|
|
1226
|
-
|
|
1227
|
-
|
|
1228
|
-
|
|
1212
|
+
meta:
|
|
1213
|
+
is_exploit = false
|
|
1214
|
+
is_feature = false
|
|
1215
|
+
is_warning = true
|
|
1216
|
+
rank = 1
|
|
1217
|
+
revision = "1"
|
|
1218
|
+
date = "June 07 2020"
|
|
1219
|
+
author = "@tylabs"
|
|
1220
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1221
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1222
|
+
desc = "suspicious.javascript object"
|
|
1223
|
+
mitre = "T1027 T1059.007"
|
|
1224
|
+
strings:
|
|
1225
|
+
$h_raw1 = "/JavaScript" nocase
|
|
1226
|
+
$h_raw2 = "/JS "
|
|
1227
|
+
condition:
|
|
1228
|
+
any of them
|
|
1229
1229
|
}
|
|
1230
1230
|
|
|
1231
1231
|
|
|
1232
1232
|
rule suspicious_javascript_in_XFA_block {
|
|
1233
|
-
|
|
1234
|
-
|
|
1235
|
-
|
|
1236
|
-
|
|
1237
|
-
|
|
1238
|
-
|
|
1239
|
-
|
|
1240
|
-
|
|
1241
|
-
|
|
1242
|
-
|
|
1243
|
-
|
|
1244
|
-
|
|
1245
|
-
|
|
1246
|
-
|
|
1247
|
-
|
|
1248
|
-
|
|
1249
|
-
|
|
1250
|
-
|
|
1233
|
+
meta:
|
|
1234
|
+
is_exploit = false
|
|
1235
|
+
is_feature = false
|
|
1236
|
+
is_warning = true
|
|
1237
|
+
rank = 1
|
|
1238
|
+
revision = "1"
|
|
1239
|
+
date = "June 07 2020"
|
|
1240
|
+
author = "@tylabs"
|
|
1241
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1242
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1243
|
+
desc = "suspicious.javascript in XFA block"
|
|
1244
|
+
mitre = "T1027 T1059.007"
|
|
1245
|
+
strings:
|
|
1246
|
+
$h_raw1 = "application/x-javascript" nocase
|
|
1247
|
+
$h_raw2 = "application#2Fx-javascript" nocase
|
|
1248
|
+
//$h_reg3 = /(\&\#0*97;|a)(\&\#0*112;|p)(\&\#0*112;|p)(\&\#0*108;|l)(\&\#0*105;|i)(\&\#0*99;|c)(\&\#0*97;|a)(\&\#0*116;|t)(\&\#0*105;|i)(\&\#0*111;|o)(\&\#0*110;|n)(\&\#0*47;|\/)(\&\#0*120;|x)(\&\#0*45;|\-)(\&\#0*106;|j)(\&\#0*97;|a)(\&\#0*76;|v)(\&\#0*97;|a)(\&\#0*115;|s)(\&\#0*99;|c)(\&\#0*114;|r)(\&\#0*105;|i)(\&\#0*112;|p)(\&\#0*116;|t)/
|
|
1249
|
+
condition:
|
|
1250
|
+
any of them
|
|
1251
1251
|
}
|
|
1252
1252
|
|
|
1253
1253
|
|
|
1254
1254
|
rule suspicious_pdf_embedded_PDF_file {
|
|
1255
|
-
|
|
1256
|
-
|
|
1257
|
-
|
|
1258
|
-
|
|
1259
|
-
|
|
1260
|
-
|
|
1261
|
-
|
|
1262
|
-
|
|
1263
|
-
|
|
1264
|
-
|
|
1265
|
-
|
|
1266
|
-
|
|
1267
|
-
|
|
1268
|
-
|
|
1269
|
-
|
|
1270
|
-
|
|
1255
|
+
meta:
|
|
1256
|
+
is_exploit = false
|
|
1257
|
+
is_feature = false
|
|
1258
|
+
is_warning = true
|
|
1259
|
+
rank = 1
|
|
1260
|
+
revision = "1"
|
|
1261
|
+
date = "June 07 2020"
|
|
1262
|
+
author = "@tylabs"
|
|
1263
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1264
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1265
|
+
desc = "suspicious.pdf embedded PDF file"
|
|
1266
|
+
mitre = "T1204.002"
|
|
1267
|
+
strings:
|
|
1268
|
+
$h_raw1 = "application#2Fpdf" nocase
|
|
1269
|
+
condition:
|
|
1270
|
+
any of them
|
|
1271
1271
|
}
|
|
1272
1272
|
|
|
1273
1273
|
|
|
1274
1274
|
rule suspicious_obfuscation_toString {
|
|
1275
|
-
|
|
1276
|
-
|
|
1277
|
-
|
|
1278
|
-
|
|
1279
|
-
|
|
1280
|
-
|
|
1281
|
-
|
|
1282
|
-
|
|
1283
|
-
|
|
1284
|
-
|
|
1285
|
-
|
|
1286
|
-
|
|
1287
|
-
|
|
1288
|
-
|
|
1289
|
-
|
|
1275
|
+
meta:
|
|
1276
|
+
is_exploit = false
|
|
1277
|
+
is_feature = false
|
|
1278
|
+
is_warning = true
|
|
1279
|
+
rank = 1
|
|
1280
|
+
revision = "1"
|
|
1281
|
+
date = "June 07 2020"
|
|
1282
|
+
author = "@tylabs"
|
|
1283
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1284
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1285
|
+
desc = "suspicious.obfuscation toString"
|
|
1286
|
+
mitre = "T1027"
|
|
1287
|
+
strings:
|
|
1288
|
+
$h_raw1 = "toString(" nocase
|
|
1289
|
+
condition:
|
|
1290
|
+
filesize < 1MB and any of them
|
|
1290
1291
|
}
|
|
1291
1292
|
|
|
1292
1293
|
|
|
1293
1294
|
rule suspicious_obfuscation_using_substr {
|
|
1294
|
-
|
|
1295
|
-
|
|
1296
|
-
|
|
1297
|
-
|
|
1298
|
-
|
|
1299
|
-
|
|
1300
|
-
|
|
1301
|
-
|
|
1302
|
-
|
|
1303
|
-
|
|
1304
|
-
|
|
1305
|
-
|
|
1306
|
-
|
|
1307
|
-
|
|
1308
|
-
|
|
1295
|
+
meta:
|
|
1296
|
+
is_exploit = false
|
|
1297
|
+
is_feature = false
|
|
1298
|
+
is_warning = true
|
|
1299
|
+
rank = 1
|
|
1300
|
+
revision = "1"
|
|
1301
|
+
date = "June 07 2020"
|
|
1302
|
+
author = "@tylabs"
|
|
1303
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1304
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1305
|
+
desc = "suspicious.obfuscation using substr"
|
|
1306
|
+
mitre = "T1027"
|
|
1307
|
+
strings:
|
|
1308
|
+
$h_raw1 = "substr(" nocase
|
|
1309
|
+
condition:
|
|
1310
|
+
any of them
|
|
1309
1311
|
}
|
|
1310
1312
|
|
|
1311
1313
|
|
|
1312
1314
|
rule suspicious_obfuscation_using_String_replace {
|
|
1313
|
-
|
|
1314
|
-
|
|
1315
|
-
|
|
1316
|
-
|
|
1317
|
-
|
|
1318
|
-
|
|
1319
|
-
|
|
1320
|
-
|
|
1321
|
-
|
|
1322
|
-
|
|
1323
|
-
|
|
1324
|
-
|
|
1325
|
-
|
|
1326
|
-
|
|
1327
|
-
|
|
1328
|
-
|
|
1315
|
+
meta:
|
|
1316
|
+
is_exploit = false
|
|
1317
|
+
is_feature = false
|
|
1318
|
+
is_warning = true
|
|
1319
|
+
rank = 1
|
|
1320
|
+
revision = "1"
|
|
1321
|
+
date = "June 07 2020"
|
|
1322
|
+
author = "@tylabs"
|
|
1323
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1324
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1325
|
+
desc = "suspicious.obfuscation using String.replace"
|
|
1326
|
+
mitre = "T1027"
|
|
1327
|
+
strings:
|
|
1328
|
+
$h_reg1 = /'re'(.{1,24}?)'place'/
|
|
1329
|
+
$h_raw2 = ".replace" nocase
|
|
1330
|
+
condition:
|
|
1331
|
+
any of them
|
|
1329
1332
|
}
|
|
1330
1333
|
|
|
1331
1334
|
|
|
1332
1335
|
rule suspicious_obfuscation_using_String_fromCharCode {
|
|
1333
|
-
|
|
1334
|
-
|
|
1335
|
-
|
|
1336
|
-
|
|
1337
|
-
|
|
1338
|
-
|
|
1339
|
-
|
|
1340
|
-
|
|
1341
|
-
|
|
1342
|
-
|
|
1343
|
-
|
|
1344
|
-
|
|
1345
|
-
|
|
1346
|
-
|
|
1347
|
-
|
|
1348
|
-
|
|
1349
|
-
|
|
1350
|
-
|
|
1351
|
-
|
|
1336
|
+
meta:
|
|
1337
|
+
is_exploit = false
|
|
1338
|
+
is_feature = false
|
|
1339
|
+
is_warning = true
|
|
1340
|
+
rank = 1
|
|
1341
|
+
revision = "1"
|
|
1342
|
+
date = "June 07 2020"
|
|
1343
|
+
author = "@tylabs"
|
|
1344
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1345
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1346
|
+
desc = "suspicious.obfuscation using String.fromCharCode"
|
|
1347
|
+
mitre = "T1027"
|
|
1348
|
+
strings:
|
|
1349
|
+
$h_raw1 = "\"rCo\",\"t\",\"cha\",\"\",\"deA\"" nocase
|
|
1350
|
+
$h_raw2 = "\"deA\",\"cha\",\"rCo\",\"t\"" nocase
|
|
1351
|
+
$h_reg3 = /from([\W]{0,6}?)C([\W]{0,6}?)h([\W]{0,6}?)a(.{0,6}?)r(.{0,6}?)C(.{0,6}?)o([\W]{0,6}?)d([\W]{0,6}?)e/
|
|
1352
|
+
$h_raw4 = ".fromCharC" nocase
|
|
1353
|
+
condition:
|
|
1354
|
+
any of them
|
|
1352
1355
|
}
|
|
1353
1356
|
|
|
1354
1357
|
|
|
1355
1358
|
rule suspicious_obfuscation_using_substring {
|
|
1356
|
-
|
|
1357
|
-
|
|
1358
|
-
|
|
1359
|
-
|
|
1360
|
-
|
|
1361
|
-
|
|
1362
|
-
|
|
1363
|
-
|
|
1364
|
-
|
|
1365
|
-
|
|
1366
|
-
|
|
1367
|
-
|
|
1368
|
-
|
|
1369
|
-
|
|
1370
|
-
|
|
1359
|
+
meta:
|
|
1360
|
+
is_exploit = false
|
|
1361
|
+
is_feature = false
|
|
1362
|
+
is_warning = true
|
|
1363
|
+
rank = 1
|
|
1364
|
+
revision = "1"
|
|
1365
|
+
date = "June 07 2020"
|
|
1366
|
+
author = "@tylabs"
|
|
1367
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1368
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1369
|
+
desc = "suspicious.obfuscation using substring"
|
|
1370
|
+
mitre = "T1027"
|
|
1371
|
+
strings:
|
|
1372
|
+
$h_reg1 = /\.substring(\s{0,3}?)\(/
|
|
1373
|
+
condition:
|
|
1374
|
+
any of them
|
|
1371
1375
|
}
|
|
1372
1376
|
|
|
1373
1377
|
|
|
1374
1378
|
rule suspicious_obfuscation_using_util_byteToChar {
|
|
1375
|
-
|
|
1376
|
-
|
|
1377
|
-
|
|
1378
|
-
|
|
1379
|
-
|
|
1380
|
-
|
|
1381
|
-
|
|
1382
|
-
|
|
1383
|
-
|
|
1384
|
-
|
|
1385
|
-
|
|
1386
|
-
|
|
1387
|
-
|
|
1388
|
-
|
|
1389
|
-
|
|
1379
|
+
meta:
|
|
1380
|
+
is_exploit = false
|
|
1381
|
+
is_feature = false
|
|
1382
|
+
is_warning = true
|
|
1383
|
+
rank = 1
|
|
1384
|
+
revision = "1"
|
|
1385
|
+
date = "June 07 2020"
|
|
1386
|
+
author = "@tylabs"
|
|
1387
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1388
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1389
|
+
desc = "suspicious.obfuscation using util.byteToChar"
|
|
1390
|
+
mitre = "T1027"
|
|
1391
|
+
strings:
|
|
1392
|
+
$h_raw1 = "byteToChar" nocase
|
|
1393
|
+
condition:
|
|
1394
|
+
any of them
|
|
1390
1395
|
}
|
|
1391
1396
|
|
|
1392
1397
|
|
|
1393
1398
|
rule suspicious_string_Shellcode_NOP_sled {
|
|
1394
|
-
|
|
1395
|
-
|
|
1396
|
-
|
|
1397
|
-
|
|
1398
|
-
|
|
1399
|
-
|
|
1400
|
-
|
|
1401
|
-
|
|
1402
|
-
|
|
1403
|
-
|
|
1404
|
-
|
|
1405
|
-
|
|
1406
|
-
|
|
1407
|
-
|
|
1408
|
-
|
|
1399
|
+
meta:
|
|
1400
|
+
is_exploit = false
|
|
1401
|
+
is_feature = false
|
|
1402
|
+
is_warning = true
|
|
1403
|
+
rank = 1
|
|
1404
|
+
revision = "1"
|
|
1405
|
+
date = "June 07 2020"
|
|
1406
|
+
author = "@tylabs"
|
|
1407
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1408
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1409
|
+
desc = "suspicious.string Shellcode NOP sled"
|
|
1410
|
+
mitre = "T1027"
|
|
1411
|
+
strings:
|
|
1412
|
+
$h_raw1 = "%u9090" nocase
|
|
1413
|
+
condition:
|
|
1414
|
+
any of them
|
|
1409
1415
|
}
|
|
1410
1416
|
|
|
1411
1417
|
|
|
1412
1418
|
rule suspicious_string_heap_spray_shellcode {
|
|
1413
|
-
|
|
1414
|
-
|
|
1415
|
-
|
|
1416
|
-
|
|
1417
|
-
|
|
1418
|
-
|
|
1419
|
-
|
|
1420
|
-
|
|
1421
|
-
|
|
1422
|
-
|
|
1423
|
-
|
|
1424
|
-
|
|
1425
|
-
|
|
1426
|
-
|
|
1427
|
-
|
|
1428
|
-
|
|
1419
|
+
meta:
|
|
1420
|
+
is_exploit = false
|
|
1421
|
+
is_feature = false
|
|
1422
|
+
is_warning = true
|
|
1423
|
+
rank = 1
|
|
1424
|
+
revision = "1"
|
|
1425
|
+
date = "June 07 2020"
|
|
1426
|
+
author = "@tylabs"
|
|
1427
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1428
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1429
|
+
desc = "suspicious.string heap spray shellcode"
|
|
1430
|
+
mitre = "T1027"
|
|
1431
|
+
strings:
|
|
1432
|
+
$h_raw1 = "\"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\"" nocase
|
|
1433
|
+
condition:
|
|
1434
|
+
any of them
|
|
1429
1435
|
}
|
|
1430
1436
|
|
|
1431
1437
|
|
|
1432
1438
|
rule suspicious_string_shellcode {
|
|
1433
|
-
|
|
1434
|
-
|
|
1435
|
-
|
|
1436
|
-
|
|
1437
|
-
|
|
1438
|
-
|
|
1439
|
-
|
|
1440
|
-
|
|
1441
|
-
|
|
1442
|
-
|
|
1443
|
-
|
|
1444
|
-
|
|
1445
|
-
|
|
1446
|
-
|
|
1447
|
-
|
|
1439
|
+
meta:
|
|
1440
|
+
is_exploit = false
|
|
1441
|
+
is_feature = false
|
|
1442
|
+
is_warning = true
|
|
1443
|
+
rank = 1
|
|
1444
|
+
revision = "1"
|
|
1445
|
+
date = "June 07 2020"
|
|
1446
|
+
author = "@tylabs"
|
|
1447
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1448
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1449
|
+
desc = "suspicious.string shellcode"
|
|
1450
|
+
mitre = "T1027"
|
|
1451
|
+
strings:
|
|
1452
|
+
$h_raw1 = "%u4141%u4141" nocase
|
|
1453
|
+
condition:
|
|
1454
|
+
any of them
|
|
1448
1455
|
}
|
|
1449
1456
|
|
|
1450
1457
|
|
|
1451
1458
|
rule suspicious_string__Run_Sploit_ {
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1455
|
-
|
|
1456
|
-
|
|
1457
|
-
|
|
1458
|
-
|
|
1459
|
-
|
|
1460
|
-
|
|
1461
|
-
|
|
1462
|
-
|
|
1463
|
-
|
|
1464
|
-
|
|
1465
|
-
|
|
1466
|
-
|
|
1459
|
+
meta:
|
|
1460
|
+
is_exploit = false
|
|
1461
|
+
is_feature = false
|
|
1462
|
+
is_warning = true
|
|
1463
|
+
rank = 1
|
|
1464
|
+
revision = "1"
|
|
1465
|
+
date = "June 07 2020"
|
|
1466
|
+
author = "@tylabs"
|
|
1467
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1468
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1469
|
+
desc = "suspicious.string -Run_Sploit-"
|
|
1470
|
+
mitre = "T1027"
|
|
1471
|
+
strings:
|
|
1472
|
+
$h_raw1 = "Run_Sploit" nocase
|
|
1473
|
+
condition:
|
|
1474
|
+
any of them
|
|
1467
1475
|
}
|
|
1468
1476
|
|
|
1469
1477
|
|
|
1470
1478
|
rule suspicious_string__HeapSpray_ {
|
|
1471
|
-
|
|
1472
|
-
|
|
1473
|
-
|
|
1474
|
-
|
|
1475
|
-
|
|
1476
|
-
|
|
1477
|
-
|
|
1478
|
-
|
|
1479
|
-
|
|
1480
|
-
|
|
1481
|
-
|
|
1482
|
-
|
|
1483
|
-
|
|
1484
|
-
|
|
1485
|
-
|
|
1479
|
+
meta:
|
|
1480
|
+
is_exploit = false
|
|
1481
|
+
is_feature = false
|
|
1482
|
+
is_warning = true
|
|
1483
|
+
rank = 1
|
|
1484
|
+
revision = "1"
|
|
1485
|
+
date = "June 07 2020"
|
|
1486
|
+
author = "@tylabs"
|
|
1487
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1488
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1489
|
+
desc = "suspicious.string -HeapSpray-"
|
|
1490
|
+
mitre = "T1027"
|
|
1491
|
+
strings:
|
|
1492
|
+
$h_raw1 = "HeapSpray" nocase
|
|
1493
|
+
condition:
|
|
1494
|
+
any of them
|
|
1486
1495
|
}
|
|
1487
1496
|
|
|
1488
1497
|
|
|
1489
1498
|
rule suspicious_flash_writeMultiByte {
|
|
1490
|
-
|
|
1491
|
-
|
|
1492
|
-
|
|
1493
|
-
|
|
1494
|
-
|
|
1495
|
-
|
|
1496
|
-
|
|
1497
|
-
|
|
1498
|
-
|
|
1499
|
-
|
|
1500
|
-
|
|
1501
|
-
|
|
1502
|
-
|
|
1503
|
-
|
|
1504
|
-
|
|
1499
|
+
meta:
|
|
1500
|
+
is_exploit = false
|
|
1501
|
+
is_feature = false
|
|
1502
|
+
is_warning = true
|
|
1503
|
+
rank = 1
|
|
1504
|
+
revision = "1"
|
|
1505
|
+
date = "June 07 2020"
|
|
1506
|
+
author = "@tylabs"
|
|
1507
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1508
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1509
|
+
desc = "suspicious.flash writeMultiByte"
|
|
1510
|
+
mitre = "T1027"
|
|
1511
|
+
strings:
|
|
1512
|
+
$h_raw1 = "writeMultiByte" nocase
|
|
1513
|
+
condition:
|
|
1514
|
+
any of them
|
|
1505
1515
|
}
|
|
1506
1516
|
|
|
1507
1517
|
|
|
1508
1518
|
rule suspicious_flash_addFrameScript {
|
|
1509
|
-
|
|
1510
|
-
|
|
1511
|
-
|
|
1512
|
-
|
|
1513
|
-
|
|
1514
|
-
|
|
1515
|
-
|
|
1516
|
-
|
|
1517
|
-
|
|
1518
|
-
|
|
1519
|
-
|
|
1520
|
-
|
|
1521
|
-
|
|
1522
|
-
|
|
1523
|
-
|
|
1519
|
+
meta:
|
|
1520
|
+
is_exploit = false
|
|
1521
|
+
is_feature = false
|
|
1522
|
+
is_warning = true
|
|
1523
|
+
rank = 1
|
|
1524
|
+
revision = "1"
|
|
1525
|
+
date = "June 07 2020"
|
|
1526
|
+
author = "@tylabs"
|
|
1527
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1528
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1529
|
+
desc = "suspicious.flash addFrameScript"
|
|
1530
|
+
mitre = "T1027"
|
|
1531
|
+
strings:
|
|
1532
|
+
$h_raw1 = "addFrameScript" nocase
|
|
1533
|
+
condition:
|
|
1534
|
+
any of them
|
|
1524
1535
|
}
|
|
1525
1536
|
|
|
1526
1537
|
|
|
1527
1538
|
rule suspicious_flash_Adobe_Shockwave_Flash_in_a_PDF_define_obj_type {
|
|
1528
|
-
|
|
1529
|
-
|
|
1530
|
-
|
|
1531
|
-
|
|
1532
|
-
|
|
1533
|
-
|
|
1534
|
-
|
|
1535
|
-
|
|
1536
|
-
|
|
1537
|
-
|
|
1538
|
-
|
|
1539
|
-
|
|
1540
|
-
|
|
1541
|
-
|
|
1542
|
-
|
|
1539
|
+
meta:
|
|
1540
|
+
is_exploit = false
|
|
1541
|
+
is_feature = false
|
|
1542
|
+
is_warning = true
|
|
1543
|
+
rank = 1
|
|
1544
|
+
revision = "1"
|
|
1545
|
+
date = "June 07 2020"
|
|
1546
|
+
author = "@tylabs"
|
|
1547
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1548
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1549
|
+
desc = "suspicious.flash Adobe Shockwave Flash in a PDF define obj type"
|
|
1550
|
+
strings:
|
|
1551
|
+
$h_hex1 = { (52|233532) (69|233639) (63|233633) (68|233638) (4D|233444|233464) (65|233635) (64|233634) (69|233639)(61|233631) }
|
|
1552
|
+
condition:
|
|
1553
|
+
any of them
|
|
1543
1554
|
}
|
|
1544
1555
|
|
|
1545
1556
|
|
|
1546
1557
|
rule suspicious_flash_obfuscated_name {
|
|
1547
|
-
|
|
1548
|
-
|
|
1549
|
-
|
|
1550
|
-
|
|
1551
|
-
|
|
1552
|
-
|
|
1553
|
-
|
|
1554
|
-
|
|
1555
|
-
|
|
1556
|
-
|
|
1557
|
-
|
|
1558
|
-
|
|
1559
|
-
|
|
1560
|
-
|
|
1561
|
-
|
|
1562
|
-
|
|
1558
|
+
meta:
|
|
1559
|
+
is_exploit = false
|
|
1560
|
+
is_feature = false
|
|
1561
|
+
is_warning = true
|
|
1562
|
+
rank = 1
|
|
1563
|
+
revision = "1"
|
|
1564
|
+
date = "June 07 2020"
|
|
1565
|
+
author = "@tylabs"
|
|
1566
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1567
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1568
|
+
desc = "suspicious.flash obfuscated name"
|
|
1569
|
+
mitre = "T1027"
|
|
1570
|
+
strings:
|
|
1571
|
+
$h_raw1 = "/R#69chM#65#64ia#53e#74ti#6e#67#73/" nocase
|
|
1572
|
+
condition:
|
|
1573
|
+
any of them
|
|
1563
1574
|
}
|
|
1564
1575
|
|
|
1565
1576
|
|
|
1566
1577
|
rule pdf_exploit_FlateDecode_Stream_Predictor_02_Integer_Overflow_CVE_2009_3459 {
|
|
1567
|
-
|
|
1568
|
-
|
|
1569
|
-
|
|
1570
|
-
|
|
1571
|
-
|
|
1572
|
-
|
|
1573
|
-
|
|
1574
|
-
|
|
1575
|
-
|
|
1576
|
-
|
|
1577
|
-
|
|
1578
|
-
|
|
1579
|
-
|
|
1580
|
-
|
|
1581
|
-
|
|
1582
|
-
|
|
1578
|
+
meta:
|
|
1579
|
+
is_exploit = true
|
|
1580
|
+
is_warning = false
|
|
1581
|
+
is_feature = false
|
|
1582
|
+
rank = 5
|
|
1583
|
+
revision = "1"
|
|
1584
|
+
date = "June 07 2020"
|
|
1585
|
+
author = "@tylabs"
|
|
1586
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1587
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1588
|
+
desc = "pdf.exploit FlateDecode Stream Predictor 02 Integer Overflow CVE-2009-3459"
|
|
1589
|
+
mitre = "T1203 T1204.002"
|
|
1590
|
+
strings:
|
|
1591
|
+
$h_reg1 = /Predictor 02(\s{0,2}?)\/(\s{0,2}?)Colors 1073741838/
|
|
1592
|
+
condition:
|
|
1593
|
+
any of them
|
|
1583
1594
|
}
|
|
1584
1595
|
|
|
1585
1596
|
|
|
1586
1597
|
rule pdf_exploit_colors_number_is_high_CVE_2009_3459 {
|
|
1587
|
-
|
|
1588
|
-
|
|
1589
|
-
|
|
1590
|
-
|
|
1591
|
-
|
|
1592
|
-
|
|
1593
|
-
|
|
1594
|
-
|
|
1595
|
-
|
|
1596
|
-
|
|
1597
|
-
|
|
1598
|
-
|
|
1599
|
-
|
|
1600
|
-
|
|
1601
|
-
|
|
1602
|
-
|
|
1598
|
+
meta:
|
|
1599
|
+
is_exploit = true
|
|
1600
|
+
is_warning = false
|
|
1601
|
+
is_feature = false
|
|
1602
|
+
rank = 5
|
|
1603
|
+
revision = "1"
|
|
1604
|
+
date = "June 07 2020"
|
|
1605
|
+
author = "@tylabs"
|
|
1606
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1607
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1608
|
+
desc = "pdf.exploit colors number is high CVE-2009-3459"
|
|
1609
|
+
mitre = "T1203 T1204.002"
|
|
1610
|
+
strings:
|
|
1611
|
+
$h_reg1 = /\/Colors \d{5,15}?/
|
|
1612
|
+
condition:
|
|
1613
|
+
any of them
|
|
1603
1614
|
}
|
|
1604
1615
|
|
|
1605
1616
|
|
|
1606
1617
|
rule pdf_exploit_URI_directory_traversal {
|
|
1607
|
-
|
|
1608
|
-
|
|
1609
|
-
|
|
1610
|
-
|
|
1611
|
-
|
|
1612
|
-
|
|
1613
|
-
|
|
1614
|
-
|
|
1615
|
-
|
|
1616
|
-
|
|
1617
|
-
|
|
1618
|
-
|
|
1619
|
-
|
|
1620
|
-
|
|
1621
|
-
|
|
1622
|
-
|
|
1618
|
+
meta:
|
|
1619
|
+
is_exploit = false
|
|
1620
|
+
is_feature = false
|
|
1621
|
+
is_warning = true
|
|
1622
|
+
rank = 1
|
|
1623
|
+
revision = "1"
|
|
1624
|
+
date = "June 07 2020"
|
|
1625
|
+
author = "@tylabs"
|
|
1626
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1627
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1628
|
+
desc = "pdf.exploit URI directory traversal"
|
|
1629
|
+
mitre = "T1203 T1204.002"
|
|
1630
|
+
strings:
|
|
1631
|
+
$h_reg1 = /URI.{1,30}?\/\.\.\/\.\./
|
|
1632
|
+
condition:
|
|
1633
|
+
any of them
|
|
1623
1634
|
}
|
|
1624
1635
|
|
|
1625
1636
|
|
|
1626
1637
|
rule pdf_exploit_URI_directory_traversal_system32 {
|
|
1627
|
-
|
|
1628
|
-
|
|
1629
|
-
|
|
1630
|
-
|
|
1631
|
-
|
|
1632
|
-
|
|
1633
|
-
|
|
1634
|
-
|
|
1635
|
-
|
|
1636
|
-
|
|
1637
|
-
|
|
1638
|
-
|
|
1639
|
-
|
|
1640
|
-
|
|
1641
|
-
|
|
1642
|
-
|
|
1638
|
+
meta:
|
|
1639
|
+
is_exploit = false
|
|
1640
|
+
is_feature = false
|
|
1641
|
+
is_warning = true
|
|
1642
|
+
rank = 1
|
|
1643
|
+
revision = "1"
|
|
1644
|
+
date = "June 07 2020"
|
|
1645
|
+
author = "@tylabs"
|
|
1646
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1647
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1648
|
+
desc = "pdf.exploit URI directory traversal system32"
|
|
1649
|
+
mitre = "T1203 T1204.002"
|
|
1650
|
+
strings:
|
|
1651
|
+
$h_reg1 = /URI.{1,65}?system32/
|
|
1652
|
+
condition:
|
|
1653
|
+
any of them
|
|
1643
1654
|
}
|
|
1644
1655
|
|
|
1645
1656
|
|
|
1646
1657
|
rule pdf_exploit_execute_EXE_file {
|
|
1647
|
-
|
|
1648
|
-
|
|
1649
|
-
|
|
1650
|
-
|
|
1651
|
-
|
|
1652
|
-
|
|
1653
|
-
|
|
1654
|
-
|
|
1655
|
-
|
|
1656
|
-
|
|
1657
|
-
|
|
1658
|
-
|
|
1659
|
-
|
|
1660
|
-
|
|
1661
|
-
|
|
1662
|
-
|
|
1658
|
+
meta:
|
|
1659
|
+
is_exploit = false
|
|
1660
|
+
is_warning = true
|
|
1661
|
+
is_feature = true
|
|
1662
|
+
rank = 10
|
|
1663
|
+
revision = "1"
|
|
1664
|
+
date = "June 07 2020"
|
|
1665
|
+
author = "@tylabs"
|
|
1666
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1667
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1668
|
+
desc = "pdf.exploit execute EXE file"
|
|
1669
|
+
mitre = "T1203 T1204.002"
|
|
1670
|
+
strings:
|
|
1671
|
+
$h_reg1 = /\/(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)(.{0,64}?)\.exe/
|
|
1672
|
+
condition:
|
|
1673
|
+
any of them
|
|
1663
1674
|
}
|
|
1664
1675
|
|
|
1665
1676
|
|
|
1666
1677
|
rule pdf_warning_openaction {
|
|
1667
|
-
|
|
1668
|
-
|
|
1669
|
-
|
|
1670
|
-
|
|
1671
|
-
|
|
1672
|
-
|
|
1673
|
-
|
|
1674
|
-
|
|
1675
|
-
|
|
1676
|
-
|
|
1677
|
-
|
|
1678
|
-
|
|
1679
|
-
|
|
1680
|
-
|
|
1681
|
-
|
|
1682
|
-
|
|
1678
|
+
meta:
|
|
1679
|
+
is_exploit = false
|
|
1680
|
+
is_warning = true
|
|
1681
|
+
is_feature = true
|
|
1682
|
+
rank = 1
|
|
1683
|
+
revision = "1"
|
|
1684
|
+
date = "July 14 2020"
|
|
1685
|
+
author = "@tylabs"
|
|
1686
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1687
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1688
|
+
desc = "pdf.warning OpenAction"
|
|
1689
|
+
mitre = "T1203 T1204.002"
|
|
1690
|
+
strings:
|
|
1691
|
+
$h_reg1 = /\/(O|#4F)(p|#70)(e|#65)(n|#6e)(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)/
|
|
1692
|
+
condition:
|
|
1693
|
+
any of them
|
|
1683
1694
|
}
|
|
1684
1695
|
|
|
1685
1696
|
|
|
1686
1697
|
rule pdf_exploit_access_system32_directory {
|
|
1687
|
-
|
|
1688
|
-
|
|
1689
|
-
|
|
1690
|
-
|
|
1691
|
-
|
|
1692
|
-
|
|
1693
|
-
|
|
1694
|
-
|
|
1695
|
-
|
|
1696
|
-
|
|
1697
|
-
|
|
1698
|
-
|
|
1699
|
-
|
|
1700
|
-
|
|
1701
|
-
|
|
1702
|
-
|
|
1698
|
+
meta:
|
|
1699
|
+
is_exploit = false
|
|
1700
|
+
is_feature = false
|
|
1701
|
+
is_warning = true
|
|
1702
|
+
rank = 1
|
|
1703
|
+
revision = "1"
|
|
1704
|
+
date = "June 07 2020"
|
|
1705
|
+
author = "@tylabs"
|
|
1706
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1707
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1708
|
+
desc = "pdf.exploit access system32 directory"
|
|
1709
|
+
mitre = "T1203 T1204.002"
|
|
1710
|
+
strings:
|
|
1711
|
+
$h_reg1 = /\/(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)(.{0,64}?)system32/
|
|
1712
|
+
condition:
|
|
1713
|
+
any of them
|
|
1703
1714
|
}
|
|
1704
1715
|
|
|
1705
1716
|
|
|
1706
1717
|
rule pdf_warning_remote_action {
|
|
1707
|
-
|
|
1708
|
-
|
|
1709
|
-
|
|
1710
|
-
|
|
1711
|
-
|
|
1712
|
-
|
|
1713
|
-
|
|
1714
|
-
|
|
1715
|
-
|
|
1716
|
-
|
|
1717
|
-
|
|
1718
|
-
|
|
1719
|
-
|
|
1720
|
-
|
|
1721
|
-
|
|
1718
|
+
meta:
|
|
1719
|
+
is_exploit = false
|
|
1720
|
+
is_feature = false
|
|
1721
|
+
is_warning = true
|
|
1722
|
+
rank = 5
|
|
1723
|
+
revision = "1"
|
|
1724
|
+
date = "June 07 2020"
|
|
1725
|
+
author = "@tylabs"
|
|
1726
|
+
sigtype = "pdfexaminer_active"
|
|
1727
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1728
|
+
desc = "pdf.exploit action uri"
|
|
1729
|
+
mitre = "T1566.002"
|
|
1730
|
+
strings:
|
|
1731
|
+
$h_reg1 = /\/(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)\s*\/(U|#55)(R|#52)(I|49)/
|
|
1732
|
+
$h_reg2 = /\/(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)\s*\/(S|#53)\s*\/(U|#55)(R|#52)(I|49)/
|
|
1722
1733
|
|
|
1723
|
-
|
|
1724
|
-
|
|
1734
|
+
condition:
|
|
1735
|
+
any of them
|
|
1725
1736
|
}
|
|
1726
1737
|
|
|
1727
1738
|
|
|
1728
1739
|
|
|
1729
1740
|
|
|
1730
1741
|
rule pdf_exploit_execute_action_command {
|
|
1731
|
-
|
|
1732
|
-
|
|
1733
|
-
|
|
1734
|
-
|
|
1735
|
-
|
|
1736
|
-
|
|
1737
|
-
|
|
1738
|
-
|
|
1739
|
-
|
|
1740
|
-
|
|
1741
|
-
|
|
1742
|
-
|
|
1743
|
-
|
|
1744
|
-
|
|
1745
|
-
|
|
1746
|
-
|
|
1742
|
+
meta:
|
|
1743
|
+
is_exploit = false
|
|
1744
|
+
is_feature = false
|
|
1745
|
+
is_warning = true
|
|
1746
|
+
rank = 1
|
|
1747
|
+
revision = "1"
|
|
1748
|
+
date = "June 07 2020"
|
|
1749
|
+
author = "@tylabs"
|
|
1750
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1751
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1752
|
+
desc = "pdf.exploit execute action command"
|
|
1753
|
+
mitre = "T1203 T1204.002"
|
|
1754
|
+
strings:
|
|
1755
|
+
$h_raw1 = "Launch/Type/Action/Win" nocase
|
|
1756
|
+
condition:
|
|
1757
|
+
any of them
|
|
1747
1758
|
}
|
|
1748
1759
|
|
|
1749
1760
|
|
|
1750
1761
|
rule pdf_exploit_printSeps_memory_heap_corruption_CVE_2010_4091 {
|
|
1751
|
-
|
|
1752
|
-
|
|
1753
|
-
|
|
1754
|
-
|
|
1755
|
-
|
|
1756
|
-
|
|
1757
|
-
|
|
1758
|
-
|
|
1759
|
-
|
|
1760
|
-
|
|
1761
|
-
|
|
1762
|
-
|
|
1763
|
-
|
|
1764
|
-
|
|
1765
|
-
|
|
1762
|
+
meta:
|
|
1763
|
+
is_exploit = true
|
|
1764
|
+
is_warning = false
|
|
1765
|
+
is_feature = false
|
|
1766
|
+
rank = 5
|
|
1767
|
+
revision = "1"
|
|
1768
|
+
date = "June 07 2020"
|
|
1769
|
+
author = "@tylabs"
|
|
1770
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1771
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1772
|
+
desc = "pdf.exploit printSeps memory heap corruption CVE-2010-4091"
|
|
1773
|
+
mitre = "T1203 T1204.002"
|
|
1774
|
+
strings:
|
|
1775
|
+
$h_raw1 = "printSeps" nocase
|
|
1776
|
+
condition:
|
|
1777
|
+
any of them
|
|
1766
1778
|
}
|
|
1767
1779
|
|
|
1768
1780
|
|
|
1769
1781
|
rule suspicious_obfuscation_jjencoded_javascript {
|
|
1770
|
-
|
|
1771
|
-
|
|
1772
|
-
|
|
1773
|
-
|
|
1774
|
-
|
|
1775
|
-
|
|
1776
|
-
|
|
1777
|
-
|
|
1778
|
-
|
|
1779
|
-
|
|
1780
|
-
|
|
1781
|
-
|
|
1782
|
-
|
|
1783
|
-
|
|
1784
|
-
|
|
1785
|
-
|
|
1786
|
-
|
|
1782
|
+
meta:
|
|
1783
|
+
is_exploit = false
|
|
1784
|
+
is_feature = false
|
|
1785
|
+
is_warning = true
|
|
1786
|
+
rank = 1
|
|
1787
|
+
revision = "1"
|
|
1788
|
+
date = "June 07 2020"
|
|
1789
|
+
author = "@tylabs"
|
|
1790
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1791
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1792
|
+
desc = "suspicious.obfuscation jjencoded javascript"
|
|
1793
|
+
mitre = "T1059.007"
|
|
1794
|
+
strings:
|
|
1795
|
+
$h_raw1 = ":++$,$$$$:" nocase
|
|
1796
|
+
$h_raw2 = "$$:++$,$$$" nocase
|
|
1797
|
+
condition:
|
|
1798
|
+
any of them
|
|
1787
1799
|
}
|
|
1788
1800
|
|
|
1789
1801
|
|
|
1790
1802
|
rule suspicious_obfuscation_getAnnots_access_blocks {
|
|
1791
|
-
|
|
1792
|
-
|
|
1793
|
-
|
|
1794
|
-
|
|
1795
|
-
|
|
1796
|
-
|
|
1797
|
-
|
|
1798
|
-
|
|
1799
|
-
|
|
1800
|
-
|
|
1801
|
-
|
|
1802
|
-
|
|
1803
|
-
|
|
1803
|
+
meta:
|
|
1804
|
+
is_exploit = false
|
|
1805
|
+
is_feature = false
|
|
1806
|
+
is_warning = true
|
|
1807
|
+
rank = 1
|
|
1808
|
+
revision = "1"
|
|
1809
|
+
date = "June 07 2020"
|
|
1810
|
+
author = "@tylabs"
|
|
1811
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1812
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1813
|
+
desc = "suspicious.obfuscation getAnnots access blocks"
|
|
1814
|
+
mitre = "T1059.007"
|
|
1815
|
+
strings:
|
|
1804
1816
|
$h_hex1 = {67 [0-2] 65 [0-2] 74 [0-2] 41 [0-2] 6E [0-2] 6E [0-2] 6F [0-2] 74}
|
|
1805
1817
|
|
|
1806
1818
|
$h_str2 = "getAnnots" nocase ascii wide
|
|
1807
|
-
|
|
1808
|
-
|
|
1809
|
-
|
|
1819
|
+
//$h_reg1 = /g(\W{0,2}?)e(\W{0,2}?)t(\W{0,2}?)A([\W]{0,2}?)n([\W]{0,1}?)n([\W]{0,2}?)o([\W]{0,2}?)t/ //slow
|
|
1820
|
+
condition:
|
|
1821
|
+
any of them
|
|
1810
1822
|
}
|
|
1811
1823
|
|
|
1812
1824
|
|
|
1813
1825
|
rule suspicious_obfuscation_info_Trailer_to_access_blocks {
|
|
1814
|
-
|
|
1815
|
-
|
|
1816
|
-
|
|
1817
|
-
|
|
1818
|
-
|
|
1819
|
-
|
|
1820
|
-
|
|
1821
|
-
|
|
1822
|
-
|
|
1823
|
-
|
|
1824
|
-
|
|
1825
|
-
|
|
1826
|
-
|
|
1827
|
-
|
|
1828
|
-
|
|
1829
|
-
|
|
1826
|
+
meta:
|
|
1827
|
+
is_exploit = false
|
|
1828
|
+
is_feature = false
|
|
1829
|
+
is_warning = true
|
|
1830
|
+
rank = 1
|
|
1831
|
+
revision = "1"
|
|
1832
|
+
date = "June 07 2020"
|
|
1833
|
+
author = "@tylabs"
|
|
1834
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1835
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1836
|
+
desc = "suspicious.obfuscation info.Trailer to access blocks"
|
|
1837
|
+
mitre = "T1059.007"
|
|
1838
|
+
strings:
|
|
1839
|
+
$h_reg1 = /info([\W]{0,4}?)\.([\W]{0,4}?)Trailer/
|
|
1840
|
+
condition:
|
|
1841
|
+
any of them
|
|
1830
1842
|
}
|
|
1831
1843
|
|
|
1832
1844
|
|
|
1833
1845
|
rule suspicious_obfuscation_using_app_setTimeOut_to_eval_code {
|
|
1834
|
-
|
|
1835
|
-
|
|
1836
|
-
|
|
1837
|
-
|
|
1838
|
-
|
|
1839
|
-
|
|
1840
|
-
|
|
1841
|
-
|
|
1842
|
-
|
|
1843
|
-
|
|
1844
|
-
|
|
1845
|
-
|
|
1846
|
-
|
|
1847
|
-
|
|
1848
|
-
|
|
1849
|
-
|
|
1846
|
+
meta:
|
|
1847
|
+
is_exploit = false
|
|
1848
|
+
is_feature = false
|
|
1849
|
+
is_warning = true
|
|
1850
|
+
rank = 1
|
|
1851
|
+
revision = "1"
|
|
1852
|
+
date = "June 07 2020"
|
|
1853
|
+
author = "@tylabs"
|
|
1854
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1855
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1856
|
+
desc = "suspicious.obfuscation using app.setTimeOut to eval code"
|
|
1857
|
+
mitre = "T1059.007"
|
|
1858
|
+
strings:
|
|
1859
|
+
$h_raw1 = "app.setTimeOut" nocase
|
|
1860
|
+
condition:
|
|
1861
|
+
any of them
|
|
1850
1862
|
}
|
|
1851
1863
|
|
|
1852
1864
|
|
|
1853
1865
|
rule suspicious_string__shellcode_ {
|
|
1854
|
-
|
|
1855
|
-
|
|
1856
|
-
|
|
1857
|
-
|
|
1858
|
-
|
|
1859
|
-
|
|
1860
|
-
|
|
1861
|
-
|
|
1862
|
-
|
|
1863
|
-
|
|
1864
|
-
|
|
1865
|
-
|
|
1866
|
-
|
|
1867
|
-
|
|
1868
|
-
|
|
1869
|
-
|
|
1866
|
+
meta:
|
|
1867
|
+
is_exploit = false
|
|
1868
|
+
is_feature = false
|
|
1869
|
+
is_warning = true
|
|
1870
|
+
rank = 1
|
|
1871
|
+
revision = "1"
|
|
1872
|
+
date = "June 07 2020"
|
|
1873
|
+
author = "@tylabs"
|
|
1874
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1875
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1876
|
+
desc = "suspicious.string -shellcode-"
|
|
1877
|
+
mitre = "T1027 T1059.007"
|
|
1878
|
+
strings:
|
|
1879
|
+
$h_raw1 = "var shellcode" nocase
|
|
1880
|
+
condition:
|
|
1881
|
+
any of them
|
|
1870
1882
|
}
|
|
1871
1883
|
|
|
1872
1884
|
|
|
1873
1885
|
rule pdf_exploit_Collab_collectEmailInfo_CVE_2008_0655 {
|
|
1874
|
-
|
|
1875
|
-
|
|
1876
|
-
|
|
1877
|
-
|
|
1878
|
-
|
|
1879
|
-
|
|
1880
|
-
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
|
|
1891
|
-
|
|
1886
|
+
meta:
|
|
1887
|
+
is_exploit = true
|
|
1888
|
+
is_warning = false
|
|
1889
|
+
is_feature = false
|
|
1890
|
+
rank = 5
|
|
1891
|
+
revision = "1"
|
|
1892
|
+
date = "June 07 2020"
|
|
1893
|
+
author = "@tylabs"
|
|
1894
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1895
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1896
|
+
desc = "pdf.exploit Collab.collectEmailInfo CVE-2008-0655"
|
|
1897
|
+
mitre = "T1203 T1204.002"
|
|
1898
|
+
strings:
|
|
1899
|
+
$h_reg1 = /Collabb([\W]{0,6}?).([\W]{0,6}?)collectEmailInfo/
|
|
1900
|
+
$h_raw2 = "CollabcollectEmailInfo" nocase
|
|
1901
|
+
$h_raw3 = "Collab.collectEmailInfo" nocase
|
|
1902
|
+
condition:
|
|
1903
|
+
any of them
|
|
1892
1904
|
}
|
|
1893
1905
|
|
|
1894
1906
|
|
|
1895
1907
|
rule pdf_exploit_Collab_getIcon_CVE_2009_0927 {
|
|
1896
|
-
|
|
1897
|
-
|
|
1898
|
-
|
|
1899
|
-
|
|
1900
|
-
|
|
1901
|
-
|
|
1902
|
-
|
|
1903
|
-
|
|
1904
|
-
|
|
1905
|
-
|
|
1906
|
-
|
|
1907
|
-
|
|
1908
|
-
|
|
1909
|
-
|
|
1910
|
-
|
|
1911
|
-
|
|
1912
|
-
|
|
1913
|
-
|
|
1908
|
+
meta:
|
|
1909
|
+
is_exploit = true
|
|
1910
|
+
is_warning = false
|
|
1911
|
+
is_feature = false
|
|
1912
|
+
rank = 5
|
|
1913
|
+
revision = "1"
|
|
1914
|
+
date = "June 07 2020"
|
|
1915
|
+
author = "@tylabs"
|
|
1916
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1917
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1918
|
+
desc = "pdf.exploit Collab.getIcon CVE-2009-0927"
|
|
1919
|
+
mitre = "T1203 T1204.002"
|
|
1920
|
+
strings:
|
|
1921
|
+
$h_reg1 = /Collab([\W]{0,6}?).([\W]{0,6}?)getIcon/
|
|
1922
|
+
$h_reg2 = /Collab.get(.{1,24}?)Icon/
|
|
1923
|
+
$h_raw3 = "Collab.getIcon" nocase
|
|
1924
|
+
condition:
|
|
1925
|
+
any of them
|
|
1914
1926
|
}
|
|
1915
1927
|
|
|
1916
1928
|
|
|
1917
1929
|
rule pdf_suspicious_util_printd_used_to_fill_buffers {
|
|
1918
|
-
|
|
1919
|
-
|
|
1920
|
-
|
|
1921
|
-
|
|
1922
|
-
|
|
1923
|
-
|
|
1924
|
-
|
|
1925
|
-
|
|
1926
|
-
|
|
1927
|
-
|
|
1928
|
-
|
|
1929
|
-
|
|
1930
|
-
|
|
1931
|
-
|
|
1932
|
-
|
|
1933
|
-
|
|
1930
|
+
meta:
|
|
1931
|
+
is_exploit = false
|
|
1932
|
+
is_feature = false
|
|
1933
|
+
is_warning = true
|
|
1934
|
+
rank = 1
|
|
1935
|
+
revision = "1"
|
|
1936
|
+
date = "June 07 2020"
|
|
1937
|
+
author = "@tylabs"
|
|
1938
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1939
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1940
|
+
desc = "pdf.suspicious util.printd used to fill buffers"
|
|
1941
|
+
mitre = "T1027 T1059.007"
|
|
1942
|
+
strings:
|
|
1943
|
+
$h_raw1 = "util.printd" nocase
|
|
1944
|
+
condition:
|
|
1945
|
+
any of them
|
|
1934
1946
|
}
|
|
1935
1947
|
|
|
1936
1948
|
|
|
1937
1949
|
rule pdf_exploit_media_newPlayer_CVE_2009_4324 {
|
|
1938
|
-
|
|
1939
|
-
|
|
1940
|
-
|
|
1941
|
-
|
|
1942
|
-
|
|
1943
|
-
|
|
1944
|
-
|
|
1945
|
-
|
|
1946
|
-
|
|
1947
|
-
|
|
1948
|
-
|
|
1949
|
-
|
|
1950
|
-
|
|
1951
|
-
|
|
1952
|
-
|
|
1953
|
-
|
|
1954
|
-
|
|
1955
|
-
|
|
1956
|
-
|
|
1957
|
-
|
|
1958
|
-
|
|
1950
|
+
meta:
|
|
1951
|
+
is_exploit = true
|
|
1952
|
+
is_warning = false
|
|
1953
|
+
is_feature = false
|
|
1954
|
+
rank = 5
|
|
1955
|
+
revision = "1"
|
|
1956
|
+
date = "June 07 2020"
|
|
1957
|
+
author = "@tylabs"
|
|
1958
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1959
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1960
|
+
desc = "pdf.exploit media.newPlayer CVE-2009-4324"
|
|
1961
|
+
mitre = "T1203 T1204.002"
|
|
1962
|
+
strings:
|
|
1963
|
+
$h_reg1 = /med(.{1,24}?)ia(.{1,24}?)new(.{1,24}?)Play(.{1,24}?)er/
|
|
1964
|
+
$h_reg2 = /med(.{1,24}?)ia(.{1,24}?)newPlay(.{1,24}?)er/
|
|
1965
|
+
$h_reg3 = /me(.{1,24}?)dia\.(.{1,24}?)new(.{1,24}?)Play(.{1,24}?)er/
|
|
1966
|
+
$h_reg4 = /mediaa([\W]{0,6}?)newPlayer/
|
|
1967
|
+
$h_reg5 = /media(.{1,24}?)newPlayer/
|
|
1968
|
+
$h_raw6 = "media.newPlayer" nocase
|
|
1969
|
+
condition:
|
|
1970
|
+
any of them
|
|
1959
1971
|
}
|
|
1960
1972
|
|
|
1961
1973
|
|
|
1962
1974
|
rule pdf_exploit_spell_customDictionaryOpen_CVE_2009_1493 {
|
|
1963
|
-
|
|
1964
|
-
|
|
1965
|
-
|
|
1966
|
-
|
|
1967
|
-
|
|
1968
|
-
|
|
1969
|
-
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
1973
|
-
|
|
1974
|
-
|
|
1975
|
-
|
|
1976
|
-
|
|
1977
|
-
|
|
1978
|
-
|
|
1979
|
-
|
|
1975
|
+
meta:
|
|
1976
|
+
is_exploit = true
|
|
1977
|
+
is_warning = false
|
|
1978
|
+
is_feature = false
|
|
1979
|
+
rank = 5
|
|
1980
|
+
revision = "1"
|
|
1981
|
+
date = "June 07 2020"
|
|
1982
|
+
author = "@tylabs"
|
|
1983
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
1984
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
1985
|
+
desc = "pdf.exploit spell.customDictionaryOpen CVE-2009-1493"
|
|
1986
|
+
mitre = "T1203 T1204.002"
|
|
1987
|
+
strings:
|
|
1988
|
+
$h_reg1 = /spell(.{1,24}?)customDictionaryOpen/
|
|
1989
|
+
$h_raw2 = "spell.customDictionaryOpen" nocase
|
|
1990
|
+
condition:
|
|
1991
|
+
any of them
|
|
1980
1992
|
}
|
|
1981
1993
|
|
|
1982
1994
|
|
|
1983
1995
|
rule pdf_exploit_util_printf_CVE_2008_2992 {
|
|
1984
|
-
|
|
1985
|
-
|
|
1986
|
-
|
|
1987
|
-
|
|
1988
|
-
|
|
1989
|
-
|
|
1990
|
-
|
|
1991
|
-
|
|
1992
|
-
|
|
1993
|
-
|
|
1994
|
-
|
|
1995
|
-
|
|
1996
|
-
|
|
1997
|
-
|
|
1998
|
-
|
|
1999
|
-
|
|
1996
|
+
meta:
|
|
1997
|
+
is_exploit = true
|
|
1998
|
+
is_warning = false
|
|
1999
|
+
is_feature = false
|
|
2000
|
+
rank = 5
|
|
2001
|
+
revision = "1"
|
|
2002
|
+
date = "June 07 2020"
|
|
2003
|
+
author = "@tylabs"
|
|
2004
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2005
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2006
|
+
desc = "pdf.exploit util.printf CVE-2008-2992"
|
|
2007
|
+
mitre = "T1203 T1204.002"
|
|
2008
|
+
strings:
|
|
2009
|
+
$h_reg1 = /util(.{1,24}?)printf(.{1,24}?)45000f/
|
|
2010
|
+
condition:
|
|
2011
|
+
any of them
|
|
2000
2012
|
}
|
|
2001
2013
|
|
|
2002
2014
|
|
|
2003
2015
|
rule pdf_exploit_using_TIFF_overflow_CVE_2010_0188 {
|
|
2004
|
-
|
|
2005
|
-
|
|
2006
|
-
|
|
2007
|
-
|
|
2008
|
-
|
|
2009
|
-
|
|
2010
|
-
|
|
2011
|
-
|
|
2012
|
-
|
|
2013
|
-
|
|
2014
|
-
|
|
2015
|
-
|
|
2016
|
-
|
|
2017
|
-
|
|
2018
|
-
|
|
2019
|
-
|
|
2020
|
-
|
|
2016
|
+
meta:
|
|
2017
|
+
is_exploit = true
|
|
2018
|
+
is_warning = false
|
|
2019
|
+
is_feature = false
|
|
2020
|
+
rank = 5
|
|
2021
|
+
revision = "1"
|
|
2022
|
+
date = "June 07 2020"
|
|
2023
|
+
author = "@tylabs"
|
|
2024
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2025
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2026
|
+
desc = "pdf.exploit using TIFF overflow CVE-2010-0188"
|
|
2027
|
+
mitre = "T1203 T1204.002"
|
|
2028
|
+
strings:
|
|
2029
|
+
$h_reg1 = /contentType=(.{0,6}?)image\/(.{0,30}?)CQkJCQkJCQkJCQkJCQkJCQkJ/
|
|
2030
|
+
$h_raw2 = "kJCQ,kJCQ,kJCQ,kJCQ,kJCQ,kJCQ" nocase
|
|
2031
|
+
condition:
|
|
2032
|
+
any of them
|
|
2021
2033
|
}
|
|
2022
2034
|
|
|
2023
2035
|
|
|
2024
2036
|
rule suspicious_string_TIFF_overflow_exploit_tif_name_CVE_2010_0188 {
|
|
2025
|
-
|
|
2026
|
-
|
|
2027
|
-
|
|
2028
|
-
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2032
|
-
|
|
2033
|
-
|
|
2034
|
-
|
|
2035
|
-
|
|
2036
|
-
|
|
2037
|
-
|
|
2038
|
-
|
|
2039
|
-
|
|
2040
|
-
|
|
2037
|
+
meta:
|
|
2038
|
+
is_exploit = true
|
|
2039
|
+
is_warning = false
|
|
2040
|
+
is_feature = false
|
|
2041
|
+
rank = 5
|
|
2042
|
+
revision = "1"
|
|
2043
|
+
date = "June 07 2020"
|
|
2044
|
+
author = "@tylabs"
|
|
2045
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2046
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2047
|
+
desc = "suspicious.string TIFF overflow exploit.tif name CVE-2010-0188"
|
|
2048
|
+
mitre = "T1203 T1204.002"
|
|
2049
|
+
strings:
|
|
2050
|
+
$h_raw1 = "exploit.tif" nocase
|
|
2051
|
+
condition:
|
|
2052
|
+
any of them
|
|
2041
2053
|
}
|
|
2042
2054
|
|
|
2043
2055
|
|
|
2044
2056
|
rule suspicious_string_base_64_nop_sled_used_in_TIFF_overflow_CVE_2010_0188 {
|
|
2045
|
-
|
|
2046
|
-
|
|
2047
|
-
|
|
2048
|
-
|
|
2049
|
-
|
|
2050
|
-
|
|
2051
|
-
|
|
2052
|
-
|
|
2053
|
-
|
|
2054
|
-
|
|
2055
|
-
|
|
2056
|
-
|
|
2057
|
-
|
|
2058
|
-
|
|
2059
|
-
|
|
2057
|
+
meta:
|
|
2058
|
+
is_exploit = true
|
|
2059
|
+
is_warning = false
|
|
2060
|
+
is_feature = false
|
|
2061
|
+
rank = 5
|
|
2062
|
+
revision = "1"
|
|
2063
|
+
date = "June 07 2020"
|
|
2064
|
+
author = "@tylabs"
|
|
2065
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2066
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2067
|
+
desc = "suspicious.string base 64 nop sled used in TIFF overflow CVE-2010-0188"
|
|
2068
|
+
mitre = "T1203 T1204.002"
|
|
2069
|
+
strings:
|
|
2070
|
+
$h_raw1 = "JCQkJCQkJCQkJCQkJCQkJCQkJCQk" nocase
|
|
2071
|
+
$h_raw2 = "TU0AKgAAIDgMkAyQDJAMkAyQDJAMk" nocase
|
|
2060
2072
|
$h_hex3 = { 4A [1-2] 43 [1-2] 51 [1-2] 6B [1-2] 4A [1-2] 43 [1-2] 51 [1-2] 6B}
|
|
2061
|
-
|
|
2062
|
-
|
|
2063
|
-
|
|
2064
|
-
|
|
2073
|
+
//$h_reg3 = /J.{1,2}?C.{1,2}?Q.{1,2}?k.{1,2}?J.{1,2}?C.{1,2}?Q.{1,2}?k.{1,2}?J.{1,2}?C.{1,2}?Q.{1,2}?k/ //slow
|
|
2074
|
+
$h_raw4 = "+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4" nocase
|
|
2075
|
+
condition:
|
|
2076
|
+
any of them
|
|
2065
2077
|
}
|
|
2066
2078
|
|
|
2067
2079
|
|
|
2068
2080
|
rule pdf_exploit_TIFF_overflow_CVE_2010_0188 {
|
|
2069
|
-
|
|
2070
|
-
|
|
2071
|
-
|
|
2072
|
-
|
|
2073
|
-
|
|
2074
|
-
|
|
2075
|
-
|
|
2076
|
-
|
|
2077
|
-
|
|
2078
|
-
|
|
2079
|
-
|
|
2080
|
-
|
|
2081
|
-
|
|
2082
|
-
|
|
2083
|
-
|
|
2084
|
-
|
|
2085
|
-
|
|
2081
|
+
meta:
|
|
2082
|
+
is_exploit = true
|
|
2083
|
+
is_warning = false
|
|
2084
|
+
is_feature = false
|
|
2085
|
+
rank = 5
|
|
2086
|
+
revision = "1"
|
|
2087
|
+
date = "June 07 2020"
|
|
2088
|
+
author = "@tylabs"
|
|
2089
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2090
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2091
|
+
desc = "pdf.exploit TIFF overflow CVE-2010-0188"
|
|
2092
|
+
mitre = "T1203 T1204.002"
|
|
2093
|
+
strings:
|
|
2094
|
+
$h_reg1 = /ImageField1(.{0,6}?)xfa:contentType=(.{0,6}?)image\/tif/
|
|
2095
|
+
$h_hex2 = {BB1500070003FE7FB27F0007BB15000711000100ACA80007BB15000700010100ACA80007F772000711000100E2520007545C0007FFFFFFFF000101000000000004010100001000004000000031D70007BB1500075A526A024D15000722A70007BB15000758CD2E3C4D15000722A70007BB150007055A74F44D15000722A70007BB150007B849492A4D15000722A70007BB150007008BFAAF4D15000722A70007BB15000775EA87FE4D15000722A70007BB150007EB0A5FB94D15000722A70007BB150007}
|
|
2096
|
+
condition:
|
|
2097
|
+
any of them
|
|
2086
2098
|
}
|
|
2087
2099
|
|
|
2088
2100
|
|
|
2089
2101
|
rule pdf_execute_access_system32_directory {
|
|
2090
|
-
|
|
2091
|
-
|
|
2092
|
-
|
|
2093
|
-
|
|
2094
|
-
|
|
2095
|
-
|
|
2096
|
-
|
|
2097
|
-
|
|
2098
|
-
|
|
2099
|
-
|
|
2100
|
-
|
|
2101
|
-
|
|
2102
|
-
|
|
2103
|
-
|
|
2104
|
-
|
|
2105
|
-
|
|
2102
|
+
meta:
|
|
2103
|
+
is_exploit = false
|
|
2104
|
+
is_feature = false
|
|
2105
|
+
is_warning = true
|
|
2106
|
+
rank = 1
|
|
2107
|
+
revision = "1"
|
|
2108
|
+
date = "June 07 2020"
|
|
2109
|
+
author = "@tylabs"
|
|
2110
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2111
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2112
|
+
desc = "pdf.execute access system32 directory"
|
|
2113
|
+
mitre = "T1203 T1204.002"
|
|
2114
|
+
strings:
|
|
2115
|
+
$h_reg1 = /\/(A|#41)(c|#63)(t|#74)(i|#69)(o|#6F)(n|6e)(.{0,36}?)system32/
|
|
2116
|
+
condition:
|
|
2117
|
+
any of them
|
|
2106
2118
|
}
|
|
2107
2119
|
|
|
2108
2120
|
|
|
2109
2121
|
rule suspicious_string_obfuscated_unicode_NOP_sled {
|
|
2110
|
-
|
|
2111
|
-
|
|
2112
|
-
|
|
2113
|
-
|
|
2114
|
-
|
|
2115
|
-
|
|
2116
|
-
|
|
2117
|
-
|
|
2118
|
-
|
|
2119
|
-
|
|
2120
|
-
|
|
2121
|
-
|
|
2122
|
-
|
|
2123
|
-
|
|
2124
|
-
|
|
2125
|
-
|
|
2122
|
+
meta:
|
|
2123
|
+
is_exploit = false
|
|
2124
|
+
is_feature = false
|
|
2125
|
+
is_warning = true
|
|
2126
|
+
rank = 1
|
|
2127
|
+
revision = "1"
|
|
2128
|
+
date = "June 07 2020"
|
|
2129
|
+
author = "@tylabs"
|
|
2130
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2131
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2132
|
+
desc = "suspicious.string obfuscated unicode NOP sled"
|
|
2133
|
+
mitre = "T1027"
|
|
2134
|
+
strings:
|
|
2135
|
+
$h_raw1 = "M9090M9090M9090M9090" nocase
|
|
2136
|
+
condition:
|
|
2137
|
+
any of them
|
|
2126
2138
|
}
|
|
2127
2139
|
|
|
2128
2140
|
|
|
2129
2141
|
rule suspicious_flash_Embedded_Flash {
|
|
2130
|
-
|
|
2131
|
-
|
|
2132
|
-
|
|
2133
|
-
|
|
2134
|
-
|
|
2135
|
-
|
|
2136
|
-
|
|
2137
|
-
|
|
2138
|
-
|
|
2139
|
-
|
|
2140
|
-
|
|
2141
|
-
|
|
2142
|
-
|
|
2143
|
-
|
|
2144
|
-
|
|
2145
|
-
|
|
2146
|
-
|
|
2147
|
-
|
|
2148
|
-
|
|
2149
|
-
|
|
2150
|
-
|
|
2151
|
-
|
|
2142
|
+
meta:
|
|
2143
|
+
is_exploit = false
|
|
2144
|
+
is_feature = false
|
|
2145
|
+
is_warning = true
|
|
2146
|
+
rank = 1
|
|
2147
|
+
revision = "1"
|
|
2148
|
+
date = "June 07 2020"
|
|
2149
|
+
author = "@tylabs"
|
|
2150
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2151
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2152
|
+
desc = "suspicious.flash Embedded Flash"
|
|
2153
|
+
strings:
|
|
2154
|
+
$h_reg1 = /^FWS/
|
|
2155
|
+
$h_reg2 = /^CWS/
|
|
2156
|
+
$h_reg3 = /^SWF/
|
|
2157
|
+
$h_hex4 = {0D0A43575309A2D20000789CECBD797C54}
|
|
2158
|
+
$h_reg5 = /\x0aFWS/
|
|
2159
|
+
$h_reg6 = /\x0aCWS/
|
|
2160
|
+
$h_reg7 = /\x0aSWF/
|
|
2161
|
+
|
|
2162
|
+
condition:
|
|
2163
|
+
any of them
|
|
2152
2164
|
}
|
|
2153
2165
|
|
|
2154
2166
|
|
|
2155
2167
|
rule suspicious_flash_Embedded_Flash_define_obj {
|
|
2156
|
-
|
|
2157
|
-
|
|
2158
|
-
|
|
2159
|
-
|
|
2160
|
-
|
|
2161
|
-
|
|
2162
|
-
|
|
2163
|
-
|
|
2164
|
-
|
|
2165
|
-
|
|
2166
|
-
|
|
2167
|
-
|
|
2168
|
-
|
|
2169
|
-
|
|
2170
|
-
|
|
2171
|
-
|
|
2172
|
-
|
|
2168
|
+
meta:
|
|
2169
|
+
is_exploit = false
|
|
2170
|
+
is_feature = false
|
|
2171
|
+
is_warning = true
|
|
2172
|
+
rank = 1
|
|
2173
|
+
revision = "1"
|
|
2174
|
+
date = "June 07 2020"
|
|
2175
|
+
author = "@tylabs"
|
|
2176
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2177
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2178
|
+
desc = "suspicious.flash Embedded Flash define obj"
|
|
2179
|
+
mitre = "T1204.002"
|
|
2180
|
+
strings:
|
|
2181
|
+
$h_raw1 = "application#2Fx-shockwave-flash" nocase
|
|
2182
|
+
$h_raw2 = "application/x-shockwave-flash" nocase
|
|
2183
|
+
condition:
|
|
2184
|
+
any of them
|
|
2173
2185
|
}
|
|
2174
2186
|
|
|
2175
2187
|
|
|
2176
2188
|
rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_generic {
|
|
2177
|
-
|
|
2178
|
-
|
|
2179
|
-
|
|
2180
|
-
|
|
2181
|
-
|
|
2182
|
-
|
|
2183
|
-
|
|
2184
|
-
|
|
2185
|
-
|
|
2186
|
-
|
|
2187
|
-
|
|
2188
|
-
|
|
2189
|
-
|
|
2190
|
-
|
|
2191
|
-
|
|
2192
|
-
|
|
2189
|
+
meta:
|
|
2190
|
+
is_exploit = true
|
|
2191
|
+
is_warning = false
|
|
2192
|
+
is_feature = false
|
|
2193
|
+
rank = 5
|
|
2194
|
+
revision = "1"
|
|
2195
|
+
date = "June 07 2020"
|
|
2196
|
+
author = "@tylabs"
|
|
2197
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2198
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2199
|
+
desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 generic"
|
|
2200
|
+
mitre = "T1203 T1204.002"
|
|
2201
|
+
strings:
|
|
2202
|
+
$h_reg1 = "SING" nocase
|
|
2203
|
+
$h_hex2 = { 41414141414141414141 }
|
|
2204
|
+
condition:
|
|
2205
|
+
$h_reg1 in (0..400) and $h_hex2 in (0..500)
|
|
2193
2206
|
}
|
|
2194
2207
|
|
|
2195
2208
|
|
|
2196
2209
|
rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_A {
|
|
2197
|
-
|
|
2198
|
-
|
|
2199
|
-
|
|
2200
|
-
|
|
2201
|
-
|
|
2202
|
-
|
|
2203
|
-
|
|
2204
|
-
|
|
2205
|
-
|
|
2206
|
-
|
|
2207
|
-
|
|
2208
|
-
|
|
2209
|
-
|
|
2210
|
-
|
|
2211
|
-
|
|
2212
|
-
|
|
2210
|
+
meta:
|
|
2211
|
+
is_exploit = true
|
|
2212
|
+
is_warning = false
|
|
2213
|
+
is_feature = false
|
|
2214
|
+
rank = 5
|
|
2215
|
+
revision = "1"
|
|
2216
|
+
date = "June 07 2020"
|
|
2217
|
+
author = "@tylabs"
|
|
2218
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2219
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2220
|
+
desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 A"
|
|
2221
|
+
mitre = "T1203 T1204.002"
|
|
2222
|
+
strings:
|
|
2223
|
+
$h_hex1 = {1045086F0000EB4C00000024686D747809C68EB20000B4C4000004306B65726EDC52D5990000BDA000002D8A6C6F6361F3CBD23D0000BB840000021A6D6178700547063A0000EB2C0000002053494E47D9BCC8B50000011C00001DDF706F7374B45A2FBB0000B8F40000028E70726570}
|
|
2224
|
+
condition:
|
|
2225
|
+
any of them
|
|
2213
2226
|
}
|
|
2214
2227
|
|
|
2215
2228
|
|
|
2216
2229
|
rule flash_exploit_CVE_2011_0609 {
|
|
2217
|
-
|
|
2218
|
-
|
|
2219
|
-
|
|
2220
|
-
|
|
2221
|
-
|
|
2222
|
-
|
|
2223
|
-
|
|
2224
|
-
|
|
2225
|
-
|
|
2226
|
-
|
|
2227
|
-
|
|
2228
|
-
|
|
2229
|
-
|
|
2230
|
-
|
|
2231
|
-
|
|
2232
|
-
|
|
2233
|
-
|
|
2234
|
-
|
|
2230
|
+
meta:
|
|
2231
|
+
is_exploit = true
|
|
2232
|
+
is_warning = false
|
|
2233
|
+
is_feature = false
|
|
2234
|
+
rank = 5
|
|
2235
|
+
revision = "1"
|
|
2236
|
+
date = "June 07 2020"
|
|
2237
|
+
author = "@tylabs"
|
|
2238
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2239
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2240
|
+
desc = "flash.exploit CVE-2011-0609"
|
|
2241
|
+
mitre = "T1203 T1204.002"
|
|
2242
|
+
strings:
|
|
2243
|
+
$h_hex1 = {4657530947CB0000480140005A0000190100441108000000BF141CCB0000000000000010002E00060080804094A8D0A001808004100002000000121212E24130F00931343134313431343134313431343134313431343134313431343134313431343134313431343134313431343134313431343134}
|
|
2244
|
+
$h_hex2 = {34363537353330394541433730303030373830303036343030303030304338303030303032443031303034343131313830303030303034333032463446344634383630363036303230303031303030304646303931303030303030303033303030313030383630363036303130303032303030303430303030303030424631313235}
|
|
2245
|
+
$h_hex3 = {3941303139413031394130313941303139064C6F61646572}
|
|
2246
|
+
condition:
|
|
2247
|
+
any of them
|
|
2235
2248
|
}
|
|
2236
2249
|
|
|
2237
2250
|
|
|
2238
2251
|
rule flash_exploit_CVE_2011_0611 {
|
|
2239
|
-
|
|
2240
|
-
|
|
2241
|
-
|
|
2242
|
-
|
|
2243
|
-
|
|
2244
|
-
|
|
2245
|
-
|
|
2246
|
-
|
|
2247
|
-
|
|
2248
|
-
|
|
2249
|
-
|
|
2250
|
-
|
|
2251
|
-
|
|
2252
|
-
|
|
2253
|
-
|
|
2254
|
-
|
|
2255
|
-
|
|
2256
|
-
|
|
2257
|
-
|
|
2258
|
-
|
|
2259
|
-
|
|
2260
|
-
|
|
2252
|
+
meta:
|
|
2253
|
+
is_exploit = true
|
|
2254
|
+
is_warning = false
|
|
2255
|
+
is_feature = false
|
|
2256
|
+
rank = 5
|
|
2257
|
+
revision = "1"
|
|
2258
|
+
date = "June 07 2020"
|
|
2259
|
+
author = "@tylabs"
|
|
2260
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2261
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2262
|
+
desc = "flash.exploit CVE-2011-0611"
|
|
2263
|
+
mitre = "T1203 T1204.002"
|
|
2264
|
+
strings:
|
|
2265
|
+
$h_hex1 = {7772697465427974650541727261799817343635373533304143433035303030303738}
|
|
2266
|
+
$h_hex2 = {5131645443737746414142346E453155625778545A52512B743733742B3362744B4E30596E617767552F414452654D5848334777597276757737597A643743674A734A6C76643174374E716D393959576D4B676B5A7674686C68446942556E344D694645453030514659306D456F664A2B4F45504D55594E6F69614C526D4E696A4D45494444665065652B3139663534652B35356E764F63383578376532766732514551504148514C6B45384248683175303937414B7741654943394F6A336579756277574E52793141564A475939326D4777444832794278794147636569424250524348}
|
|
2267
|
+
$h_hex3 = {343635373533304143433035303030303738303030353546303030303046413030303030313830313030343431313030303030303030334630334137303530303030393630433030303530303037393543333743313330374642433337433133304531323944303230303443303439443032303031383030383831353030303930303431}
|
|
2268
|
+
$h_hex4 = {3063306330633063306330633063306306537472696E6706}
|
|
2269
|
+
$h_hex5 = {410042004300440045004600470048004900A18E110064656661756C74}
|
|
2270
|
+
$h_hex6 = {00414243444500566B6475686752656D686677317375727772777C73680064656661756C740067657453697A650047647768317375727772777C73680077777273757277}
|
|
2271
|
+
$h_raw7 = "AAB4AAVfAAAPoAAAGAEARBEAAAAAPwOnBQAAlgwABQAHlcN8Ewf7w3wTDhKdAgBMBJ0CABgAiBUACQBBAEIAQwBEAEUARgBHAEgASQChjhEAZGVmYXVsdAABAAQqAAIAmAGWCgAHWMBJSAenP7a3YJ0CAAAAmQIASQBAlgUABxZ0cAtMYp0CAAwAhwEAAxeHAQABlgoAB" nocase
|
|
2272
|
+
condition:
|
|
2273
|
+
any of them
|
|
2261
2274
|
}
|
|
2262
2275
|
|
|
2263
2276
|
|
|
2264
2277
|
rule flash_suspicious_jit_spray {
|
|
2265
|
-
|
|
2266
|
-
|
|
2267
|
-
|
|
2268
|
-
|
|
2269
|
-
|
|
2270
|
-
|
|
2271
|
-
|
|
2272
|
-
|
|
2273
|
-
|
|
2274
|
-
|
|
2275
|
-
|
|
2276
|
-
|
|
2277
|
-
|
|
2278
|
-
|
|
2279
|
-
|
|
2280
|
-
|
|
2278
|
+
meta:
|
|
2279
|
+
is_exploit = false
|
|
2280
|
+
is_feature = false
|
|
2281
|
+
is_warning = true
|
|
2282
|
+
rank = 1
|
|
2283
|
+
revision = "1"
|
|
2284
|
+
date = "June 07 2020"
|
|
2285
|
+
author = "@tylabs"
|
|
2286
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2287
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2288
|
+
desc = "flash.suspicious jit_spray"
|
|
2289
|
+
mitre = "T1027 T1059.007"
|
|
2290
|
+
strings:
|
|
2291
|
+
$h_hex1 = {076A69745F65676708}
|
|
2292
|
+
condition:
|
|
2293
|
+
any of them
|
|
2281
2294
|
}
|
|
2282
2295
|
|
|
2283
2296
|
|
|
2284
2297
|
rule pdf_exploit_U3D_CVE_2011_2462_A {
|
|
2285
|
-
|
|
2286
|
-
|
|
2287
|
-
|
|
2288
|
-
|
|
2289
|
-
|
|
2290
|
-
|
|
2291
|
-
|
|
2292
|
-
|
|
2293
|
-
|
|
2294
|
-
|
|
2295
|
-
|
|
2296
|
-
|
|
2297
|
-
|
|
2298
|
-
|
|
2299
|
-
|
|
2300
|
-
|
|
2298
|
+
meta:
|
|
2299
|
+
is_exploit = true
|
|
2300
|
+
is_warning = false
|
|
2301
|
+
is_feature = false
|
|
2302
|
+
rank = 5
|
|
2303
|
+
revision = "1"
|
|
2304
|
+
date = "June 07 2020"
|
|
2305
|
+
author = "@tylabs"
|
|
2306
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2307
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2308
|
+
desc = "pdf.exploit U3D CVE-2011-2462 A"
|
|
2309
|
+
mitre = "T1203 T1204.002"
|
|
2310
|
+
strings:
|
|
2311
|
+
$h_hex1 = {066F3A40AE366A4360DFCBEF8C38CA0492794B79E942BD2BB95B866065A4750119DACF6AF72A773CDEF1117533D394744A14734B18A166C20FDE3DED19D4322E}
|
|
2312
|
+
condition:
|
|
2313
|
+
any of them
|
|
2301
2314
|
}
|
|
2302
2315
|
|
|
2303
2316
|
|
|
2304
2317
|
rule pdf_exploit_PRC_CVE_2011_4369_A {
|
|
2305
|
-
|
|
2306
|
-
|
|
2307
|
-
|
|
2308
|
-
|
|
2309
|
-
|
|
2310
|
-
|
|
2311
|
-
|
|
2312
|
-
|
|
2313
|
-
|
|
2314
|
-
|
|
2315
|
-
|
|
2316
|
-
|
|
2317
|
-
|
|
2318
|
-
|
|
2319
|
-
|
|
2320
|
-
|
|
2318
|
+
meta:
|
|
2319
|
+
is_exploit = true
|
|
2320
|
+
is_warning = false
|
|
2321
|
+
is_feature = false
|
|
2322
|
+
rank = 5
|
|
2323
|
+
revision = "1"
|
|
2324
|
+
date = "June 07 2020"
|
|
2325
|
+
author = "@tylabs"
|
|
2326
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2327
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2328
|
+
desc = "pdf.exploit PRC CVE-2011-4369 A"
|
|
2329
|
+
mitre = "T1203 T1204.002"
|
|
2330
|
+
strings:
|
|
2331
|
+
$h_hex1 = {ED7C7938945DF8FF9985868677108DA58C922C612A516FA9D182374A8B868AA25284242D8A3296B497B74849D2A210D14EA94654A2452ACA2B29D18268A5B7C5EF7E}
|
|
2332
|
+
condition:
|
|
2333
|
+
any of them
|
|
2321
2334
|
}
|
|
2322
2335
|
|
|
2323
2336
|
|
|
2324
2337
|
rule flash_exploit_flash_calling_malformed_MP4_CVE_2012_0754 {
|
|
2325
|
-
|
|
2326
|
-
|
|
2327
|
-
|
|
2328
|
-
|
|
2329
|
-
|
|
2330
|
-
|
|
2331
|
-
|
|
2332
|
-
|
|
2333
|
-
|
|
2334
|
-
|
|
2335
|
-
|
|
2336
|
-
|
|
2337
|
-
|
|
2338
|
-
|
|
2339
|
-
|
|
2340
|
-
|
|
2338
|
+
meta:
|
|
2339
|
+
is_exploit = true
|
|
2340
|
+
is_warning = false
|
|
2341
|
+
is_feature = false
|
|
2342
|
+
rank = 5
|
|
2343
|
+
revision = "1"
|
|
2344
|
+
date = "June 07 2020"
|
|
2345
|
+
author = "@tylabs"
|
|
2346
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2347
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2348
|
+
desc = "flash.exploit flash calling malformed MP4 CVE-2012-0754"
|
|
2349
|
+
mitre = "T1203 T1204.002"
|
|
2350
|
+
strings:
|
|
2351
|
+
$h_hex1 = {537472696E6706586D6C537766094D6F766965436C6970076A69745F656767086368696C645265660D446973706C61794F626A656374074D79566964656F05566964656F044D794E430D4E6574436F6E6E656374696F6E}
|
|
2352
|
+
condition:
|
|
2353
|
+
any of them
|
|
2341
2354
|
}
|
|
2342
2355
|
|
|
2343
2356
|
|
|
2344
2357
|
rule flash_exploit_MP4_Loader_CVE_2012_0754_B {
|
|
2345
|
-
|
|
2346
|
-
|
|
2347
|
-
|
|
2348
|
-
|
|
2349
|
-
|
|
2350
|
-
|
|
2351
|
-
|
|
2352
|
-
|
|
2353
|
-
|
|
2354
|
-
|
|
2355
|
-
|
|
2356
|
-
|
|
2357
|
-
|
|
2358
|
-
|
|
2359
|
-
|
|
2360
|
-
|
|
2358
|
+
meta:
|
|
2359
|
+
is_exploit = true
|
|
2360
|
+
is_warning = false
|
|
2361
|
+
is_feature = false
|
|
2362
|
+
rank = 5
|
|
2363
|
+
revision = "1"
|
|
2364
|
+
date = "June 07 2020"
|
|
2365
|
+
author = "@tylabs"
|
|
2366
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2367
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2368
|
+
desc = "flash.exploit MP4 Loader CVE-2012-0754 B"
|
|
2369
|
+
mitre = "T1203 T1204.002"
|
|
2370
|
+
strings:
|
|
2371
|
+
$h_hex1 = {6D703405566964656F0A6E6574436F6E6E6563740D4E6574436F6E6E656374696F6E096E657453747265616D094E657453747265616D}
|
|
2372
|
+
condition:
|
|
2373
|
+
any of them
|
|
2361
2374
|
}
|
|
2362
2375
|
|
|
2363
2376
|
|
|
2364
2377
|
rule flash_exploit_MP4_CVE_2012_0754 {
|
|
2365
|
-
|
|
2366
|
-
|
|
2367
|
-
|
|
2368
|
-
|
|
2369
|
-
|
|
2370
|
-
|
|
2371
|
-
|
|
2372
|
-
|
|
2373
|
-
|
|
2374
|
-
|
|
2375
|
-
|
|
2376
|
-
|
|
2377
|
-
|
|
2378
|
-
|
|
2379
|
-
|
|
2380
|
-
|
|
2378
|
+
meta:
|
|
2379
|
+
is_exploit = true
|
|
2380
|
+
is_warning = false
|
|
2381
|
+
is_feature = false
|
|
2382
|
+
rank = 5
|
|
2383
|
+
revision = "1"
|
|
2384
|
+
date = "June 07 2020"
|
|
2385
|
+
author = "@tylabs"
|
|
2386
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2387
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2388
|
+
desc = "flash.exploit MP4 CVE-2012-0754"
|
|
2389
|
+
mitre = "T1203 T1204.002"
|
|
2390
|
+
strings:
|
|
2391
|
+
$h_hex1 = {6D70343269736F6D000000246D646174018080800E1180808009029F0F808080020001C0101281302A056DC00000000D63707274}
|
|
2392
|
+
condition:
|
|
2393
|
+
any of them
|
|
2381
2394
|
}
|
|
2382
2395
|
|
|
2383
2396
|
|
|
2384
2397
|
rule pdf_exploit_Sandbox_Bypass_CVE_2013_0641 {
|
|
2385
|
-
|
|
2386
|
-
|
|
2387
|
-
|
|
2388
|
-
|
|
2389
|
-
|
|
2390
|
-
|
|
2391
|
-
|
|
2392
|
-
|
|
2393
|
-
|
|
2394
|
-
|
|
2395
|
-
|
|
2396
|
-
|
|
2397
|
-
|
|
2398
|
-
|
|
2399
|
-
|
|
2400
|
-
|
|
2398
|
+
meta:
|
|
2399
|
+
is_exploit = true
|
|
2400
|
+
is_warning = false
|
|
2401
|
+
is_feature = false
|
|
2402
|
+
rank = 5
|
|
2403
|
+
revision = "1"
|
|
2404
|
+
date = "June 07 2020"
|
|
2405
|
+
author = "@tylabs"
|
|
2406
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2407
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2408
|
+
desc = "pdf.exploit Sandbox Bypass CVE-2013-0641"
|
|
2409
|
+
mitre = "T1203 T1204.002"
|
|
2410
|
+
strings:
|
|
2411
|
+
$h_reg1 = /push(.{1,5}?)xfa.datasets.createNode(.{1,5}?)dataValue/
|
|
2412
|
+
condition:
|
|
2413
|
+
any of them
|
|
2401
2414
|
}
|
|
2402
2415
|
|
|
2403
2416
|
|
|
2404
2417
|
rule pdf_exploit_BMP_RLE_integer_heap_overflow_CVE_2013_2729 {
|
|
2405
|
-
|
|
2406
|
-
|
|
2407
|
-
|
|
2408
|
-
|
|
2409
|
-
|
|
2410
|
-
|
|
2411
|
-
|
|
2412
|
-
|
|
2413
|
-
|
|
2414
|
-
|
|
2415
|
-
|
|
2416
|
-
|
|
2417
|
-
|
|
2418
|
-
|
|
2419
|
-
|
|
2420
|
-
|
|
2421
|
-
|
|
2418
|
+
meta:
|
|
2419
|
+
is_exploit = true
|
|
2420
|
+
is_warning = false
|
|
2421
|
+
is_feature = false
|
|
2422
|
+
rank = 5
|
|
2423
|
+
revision = "1"
|
|
2424
|
+
date = "June 07 2020"
|
|
2425
|
+
author = "@tylabs"
|
|
2426
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2427
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2428
|
+
desc = "pdf.exploit BMP RLE integer heap overflow CVE-2013-2729"
|
|
2429
|
+
mitre = "T1203 T1204.002"
|
|
2430
|
+
strings:
|
|
2431
|
+
$h_reg1 = /image.jpeg(.{1,5}?)Qk0AAAAAAAAAAAAAAABAAAAALAEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC/
|
|
2432
|
+
$h_raw2 = "<image>Qk0AAAAAAAAAAAAAAABAAAAALAEAAAEAAAABAAgAAQAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAUkdC" nocase
|
|
2433
|
+
condition:
|
|
2434
|
+
any of them
|
|
2422
2435
|
}
|
|
2423
2436
|
|
|
2424
2437
|
|
|
2425
2438
|
rule pdf_exploit_ToolButton_use_after_free_CVE_2014_0496 {
|
|
2426
|
-
|
|
2427
|
-
|
|
2428
|
-
|
|
2429
|
-
|
|
2430
|
-
|
|
2431
|
-
|
|
2432
|
-
|
|
2433
|
-
|
|
2434
|
-
|
|
2435
|
-
|
|
2436
|
-
|
|
2437
|
-
|
|
2438
|
-
|
|
2439
|
-
|
|
2440
|
-
|
|
2441
|
-
|
|
2442
|
-
|
|
2439
|
+
meta:
|
|
2440
|
+
is_exploit = true
|
|
2441
|
+
is_warning = false
|
|
2442
|
+
is_feature = false
|
|
2443
|
+
rank = 5
|
|
2444
|
+
revision = "1"
|
|
2445
|
+
date = "June 07 2020"
|
|
2446
|
+
author = "@tylabs"
|
|
2447
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2448
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2449
|
+
desc = "pdf.exploit ToolButton use-after-free CVE-2014-0496"
|
|
2450
|
+
mitre = "T1203 T1204.002"
|
|
2451
|
+
strings:
|
|
2452
|
+
$h_reg1 = /function(.{1,24}?)app.addToolButton/
|
|
2453
|
+
$h_reg2 = /function(.{1,24}?)app.removeToolButton/
|
|
2454
|
+
condition:
|
|
2455
|
+
any of them
|
|
2443
2456
|
}
|
|
2444
2457
|
|
|
2445
2458
|
|
|
2446
2459
|
rule suspicious_javascript_addToolButton {
|
|
2447
|
-
|
|
2448
|
-
|
|
2449
|
-
|
|
2450
|
-
|
|
2451
|
-
|
|
2452
|
-
|
|
2453
|
-
|
|
2454
|
-
|
|
2455
|
-
|
|
2456
|
-
|
|
2457
|
-
|
|
2458
|
-
|
|
2459
|
-
|
|
2460
|
-
|
|
2461
|
-
|
|
2462
|
-
|
|
2460
|
+
meta:
|
|
2461
|
+
is_exploit = false
|
|
2462
|
+
is_feature = false
|
|
2463
|
+
is_warning = true
|
|
2464
|
+
rank = 1
|
|
2465
|
+
revision = "1"
|
|
2466
|
+
date = "June 07 2020"
|
|
2467
|
+
author = "@tylabs"
|
|
2468
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2469
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2470
|
+
desc = "suspicious.javascript addToolButton"
|
|
2471
|
+
mitre = "T1059.007"
|
|
2472
|
+
strings:
|
|
2473
|
+
$h_raw1 = "app.addToolButton" nocase
|
|
2474
|
+
condition:
|
|
2475
|
+
any of them
|
|
2463
2476
|
}
|
|
2464
2477
|
|
|
2465
2478
|
|
|
2466
2479
|
rule suspicious_embedded_doc_file {
|
|
2467
|
-
|
|
2468
|
-
|
|
2469
|
-
|
|
2470
|
-
|
|
2471
|
-
|
|
2472
|
-
|
|
2473
|
-
|
|
2474
|
-
|
|
2475
|
-
|
|
2476
|
-
|
|
2477
|
-
|
|
2478
|
-
|
|
2479
|
-
|
|
2480
|
-
|
|
2481
|
-
|
|
2482
|
-
|
|
2480
|
+
meta:
|
|
2481
|
+
is_exploit = false
|
|
2482
|
+
is_feature = false
|
|
2483
|
+
is_warning = true
|
|
2484
|
+
rank = 1
|
|
2485
|
+
revision = "1"
|
|
2486
|
+
date = "June 07 2020"
|
|
2487
|
+
author = "@tylabs"
|
|
2488
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2489
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2490
|
+
desc = "suspicious.embedded doc file"
|
|
2491
|
+
mitre = "T1204.002"
|
|
2492
|
+
strings:
|
|
2493
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.doc/
|
|
2494
|
+
condition:
|
|
2495
|
+
any of them
|
|
2483
2496
|
}
|
|
2484
2497
|
|
|
2485
2498
|
|
|
2486
2499
|
rule suspicious_embedded_xls_file {
|
|
2487
|
-
|
|
2488
|
-
|
|
2489
|
-
|
|
2490
|
-
|
|
2491
|
-
|
|
2492
|
-
|
|
2493
|
-
|
|
2494
|
-
|
|
2495
|
-
|
|
2496
|
-
|
|
2497
|
-
|
|
2498
|
-
|
|
2499
|
-
|
|
2500
|
-
|
|
2501
|
-
|
|
2502
|
-
|
|
2500
|
+
meta:
|
|
2501
|
+
is_exploit = false
|
|
2502
|
+
is_feature = false
|
|
2503
|
+
is_warning = true
|
|
2504
|
+
rank = 1
|
|
2505
|
+
revision = "1"
|
|
2506
|
+
date = "June 07 2020"
|
|
2507
|
+
author = "@tylabs"
|
|
2508
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2509
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2510
|
+
desc = "suspicious.embedded xls file"
|
|
2511
|
+
mitre = "T1204.002"
|
|
2512
|
+
strings:
|
|
2513
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.xls/
|
|
2514
|
+
condition:
|
|
2515
|
+
any of them
|
|
2503
2516
|
}
|
|
2504
2517
|
|
|
2505
2518
|
|
|
2506
2519
|
rule suspicious_embedded_ppt_file {
|
|
2507
|
-
|
|
2508
|
-
|
|
2509
|
-
|
|
2510
|
-
|
|
2511
|
-
|
|
2512
|
-
|
|
2513
|
-
|
|
2514
|
-
|
|
2515
|
-
|
|
2516
|
-
|
|
2517
|
-
|
|
2518
|
-
|
|
2519
|
-
|
|
2520
|
-
|
|
2521
|
-
|
|
2522
|
-
|
|
2523
|
-
|
|
2520
|
+
meta:
|
|
2521
|
+
is_exploit = false
|
|
2522
|
+
is_feature = false
|
|
2523
|
+
is_warning = true
|
|
2524
|
+
rank = 1
|
|
2525
|
+
revision = "1"
|
|
2526
|
+
date = "June 07 2020"
|
|
2527
|
+
author = "@tylabs"
|
|
2528
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2529
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2530
|
+
desc = "suspicious.embedded ppt file"
|
|
2531
|
+
mitre = "T1204.002"
|
|
2532
|
+
strings:
|
|
2533
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.ppt/
|
|
2534
|
+
$h_reg2 = /\/Type\/Filespec\/F(.{1,30}?)\.pps/
|
|
2535
|
+
condition:
|
|
2536
|
+
any of them
|
|
2524
2537
|
}
|
|
2525
2538
|
|
|
2526
2539
|
|
|
2527
2540
|
rule suspicious_embedded_scr_file {
|
|
2528
|
-
|
|
2529
|
-
|
|
2530
|
-
|
|
2531
|
-
|
|
2532
|
-
|
|
2533
|
-
|
|
2534
|
-
|
|
2535
|
-
|
|
2536
|
-
|
|
2537
|
-
|
|
2538
|
-
|
|
2539
|
-
|
|
2540
|
-
|
|
2541
|
-
|
|
2542
|
-
|
|
2543
|
-
|
|
2541
|
+
meta:
|
|
2542
|
+
is_exploit = false
|
|
2543
|
+
is_feature = false
|
|
2544
|
+
is_warning = true
|
|
2545
|
+
rank = 1
|
|
2546
|
+
revision = "1"
|
|
2547
|
+
date = "June 07 2020"
|
|
2548
|
+
author = "@tylabs"
|
|
2549
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2550
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2551
|
+
desc = "suspicious.embedded scr file"
|
|
2552
|
+
mitre = "T1204.002"
|
|
2553
|
+
strings:
|
|
2554
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.scr/
|
|
2555
|
+
condition:
|
|
2556
|
+
any of them
|
|
2544
2557
|
}
|
|
2545
2558
|
|
|
2546
2559
|
|
|
2547
2560
|
rule suspicious_embedded_exe_file {
|
|
2548
|
-
|
|
2549
|
-
|
|
2550
|
-
|
|
2551
|
-
|
|
2552
|
-
|
|
2553
|
-
|
|
2554
|
-
|
|
2555
|
-
|
|
2556
|
-
|
|
2557
|
-
|
|
2558
|
-
|
|
2559
|
-
|
|
2560
|
-
|
|
2561
|
-
|
|
2562
|
-
|
|
2563
|
-
|
|
2561
|
+
meta:
|
|
2562
|
+
is_exploit = false
|
|
2563
|
+
is_feature = false
|
|
2564
|
+
is_warning = true
|
|
2565
|
+
rank = 1
|
|
2566
|
+
revision = "1"
|
|
2567
|
+
date = "June 07 2020"
|
|
2568
|
+
author = "@tylabs"
|
|
2569
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2570
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2571
|
+
desc = "suspicious.embedded exe file"
|
|
2572
|
+
mitre = "T1204.002"
|
|
2573
|
+
strings:
|
|
2574
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.exe/
|
|
2575
|
+
condition:
|
|
2576
|
+
any of them
|
|
2564
2577
|
}
|
|
2565
2578
|
|
|
2566
2579
|
|
|
2567
2580
|
rule suspicious_embedded_bat_file {
|
|
2568
|
-
|
|
2569
|
-
|
|
2570
|
-
|
|
2571
|
-
|
|
2572
|
-
|
|
2573
|
-
|
|
2574
|
-
|
|
2575
|
-
|
|
2576
|
-
|
|
2577
|
-
|
|
2578
|
-
|
|
2579
|
-
|
|
2580
|
-
|
|
2581
|
-
|
|
2582
|
-
|
|
2583
|
-
|
|
2581
|
+
meta:
|
|
2582
|
+
is_exploit = false
|
|
2583
|
+
is_feature = false
|
|
2584
|
+
is_warning = true
|
|
2585
|
+
rank = 1
|
|
2586
|
+
revision = "1"
|
|
2587
|
+
date = "June 07 2020"
|
|
2588
|
+
author = "@tylabs"
|
|
2589
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2590
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2591
|
+
desc = "suspicious.embedded bat file"
|
|
2592
|
+
mitre = "T1204.002"
|
|
2593
|
+
strings:
|
|
2594
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.bat/
|
|
2595
|
+
condition:
|
|
2596
|
+
any of them
|
|
2584
2597
|
}
|
|
2585
2598
|
|
|
2586
2599
|
|
|
2587
2600
|
rule suspicious_embedded_rtf_file {
|
|
2588
|
-
|
|
2589
|
-
|
|
2590
|
-
|
|
2591
|
-
|
|
2592
|
-
|
|
2593
|
-
|
|
2594
|
-
|
|
2595
|
-
|
|
2596
|
-
|
|
2597
|
-
|
|
2598
|
-
|
|
2599
|
-
|
|
2600
|
-
|
|
2601
|
-
|
|
2602
|
-
|
|
2603
|
-
|
|
2601
|
+
meta:
|
|
2602
|
+
is_exploit = false
|
|
2603
|
+
is_feature = false
|
|
2604
|
+
is_warning = true
|
|
2605
|
+
rank = 1
|
|
2606
|
+
revision = "1"
|
|
2607
|
+
date = "June 07 2020"
|
|
2608
|
+
author = "@tylabs"
|
|
2609
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2610
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2611
|
+
desc = "suspicious.embedded rtf file"
|
|
2612
|
+
mitre = "T1204.002"
|
|
2613
|
+
strings:
|
|
2614
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.rtf/
|
|
2615
|
+
condition:
|
|
2616
|
+
any of them
|
|
2604
2617
|
}
|
|
2605
2618
|
|
|
2606
2619
|
|
|
2607
2620
|
rule suspicious_embedded_mso_file {
|
|
2608
|
-
|
|
2609
|
-
|
|
2610
|
-
|
|
2611
|
-
|
|
2612
|
-
|
|
2613
|
-
|
|
2614
|
-
|
|
2615
|
-
|
|
2616
|
-
|
|
2617
|
-
|
|
2618
|
-
|
|
2619
|
-
|
|
2620
|
-
|
|
2621
|
-
|
|
2622
|
-
|
|
2623
|
-
|
|
2621
|
+
meta:
|
|
2622
|
+
is_exploit = false
|
|
2623
|
+
is_feature = false
|
|
2624
|
+
is_warning = true
|
|
2625
|
+
rank = 1
|
|
2626
|
+
revision = "1"
|
|
2627
|
+
date = "June 07 2020"
|
|
2628
|
+
author = "@tylabs"
|
|
2629
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2630
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2631
|
+
desc = "suspicious.embedded mso file"
|
|
2632
|
+
mitre = "T1204.002"
|
|
2633
|
+
strings:
|
|
2634
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.mso/
|
|
2635
|
+
condition:
|
|
2636
|
+
any of them
|
|
2624
2637
|
}
|
|
2625
2638
|
|
|
2626
2639
|
|
|
2627
2640
|
rule suspicious_embedded_html_file {
|
|
2628
|
-
|
|
2629
|
-
|
|
2630
|
-
|
|
2631
|
-
|
|
2632
|
-
|
|
2633
|
-
|
|
2634
|
-
|
|
2635
|
-
|
|
2636
|
-
|
|
2637
|
-
|
|
2638
|
-
|
|
2639
|
-
|
|
2640
|
-
|
|
2641
|
-
|
|
2642
|
-
|
|
2643
|
-
|
|
2641
|
+
meta:
|
|
2642
|
+
is_exploit = false
|
|
2643
|
+
is_feature = false
|
|
2644
|
+
is_warning = true
|
|
2645
|
+
rank = 1
|
|
2646
|
+
revision = "1"
|
|
2647
|
+
date = "June 07 2020"
|
|
2648
|
+
author = "@tylabs"
|
|
2649
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2650
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2651
|
+
desc = "suspicious.embedded html file"
|
|
2652
|
+
mitre = "T1204.002"
|
|
2653
|
+
strings:
|
|
2654
|
+
$h_reg1 = /\/Type\/Filespec\/F(.{1,30}?)\.htm/
|
|
2655
|
+
condition:
|
|
2656
|
+
any of them
|
|
2644
2657
|
}
|
|
2645
2658
|
|
|
2646
2659
|
|
|
2647
2660
|
rule suspicious_embedded_OLE_document_header {
|
|
2648
|
-
|
|
2649
|
-
|
|
2650
|
-
|
|
2651
|
-
|
|
2652
|
-
|
|
2653
|
-
|
|
2654
|
-
|
|
2655
|
-
|
|
2656
|
-
|
|
2657
|
-
|
|
2658
|
-
|
|
2659
|
-
|
|
2660
|
-
|
|
2661
|
-
|
|
2662
|
-
|
|
2661
|
+
meta:
|
|
2662
|
+
is_exploit = false
|
|
2663
|
+
is_feature = false
|
|
2664
|
+
is_warning = true
|
|
2665
|
+
rank = 1
|
|
2666
|
+
revision = "1"
|
|
2667
|
+
date = "June 07 2020"
|
|
2668
|
+
author = "@tylabs"
|
|
2669
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2670
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2671
|
+
desc = "suspicious.embedded OLE document header"
|
|
2672
|
+
mitre = "T1204.002"
|
|
2673
|
+
strings:
|
|
2674
|
+
$h_reg1 = { d0 cf 11 e0}
|
|
2675
|
+
condition:
|
|
2676
|
+
$h_reg1 at 0
|
|
2663
2677
|
}
|
|
2664
2678
|
|
|
2665
2679
|
|
|
2666
2680
|
rule suspicious_embedded_external_content {
|
|
2667
|
-
|
|
2668
|
-
|
|
2669
|
-
|
|
2670
|
-
|
|
2671
|
-
|
|
2672
|
-
|
|
2673
|
-
|
|
2674
|
-
|
|
2675
|
-
|
|
2676
|
-
|
|
2677
|
-
|
|
2678
|
-
|
|
2679
|
-
|
|
2680
|
-
|
|
2681
|
-
|
|
2682
|
-
|
|
2681
|
+
meta:
|
|
2682
|
+
is_exploit = false
|
|
2683
|
+
is_feature = false
|
|
2684
|
+
is_warning = true
|
|
2685
|
+
rank = 1
|
|
2686
|
+
revision = "1"
|
|
2687
|
+
date = "June 07 2020"
|
|
2688
|
+
author = "@tylabs"
|
|
2689
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2690
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2691
|
+
desc = "suspicious.embedded external content"
|
|
2692
|
+
mitre = "T1566.002"
|
|
2693
|
+
strings:
|
|
2694
|
+
$h_raw1 = "/S /URI" nocase
|
|
2695
|
+
condition:
|
|
2696
|
+
any of them
|
|
2683
2697
|
}
|
|
2684
2698
|
|
|
2685
2699
|
|
|
2686
2700
|
rule pdf_exploit_Corrupted_JPEG2000_CVE_2018_4990 {
|
|
2687
|
-
|
|
2688
|
-
|
|
2689
|
-
|
|
2690
|
-
|
|
2691
|
-
|
|
2692
|
-
|
|
2693
|
-
|
|
2694
|
-
|
|
2695
|
-
|
|
2696
|
-
|
|
2697
|
-
|
|
2698
|
-
|
|
2699
|
-
|
|
2700
|
-
|
|
2701
|
-
|
|
2701
|
+
meta:
|
|
2702
|
+
is_exploit = true
|
|
2703
|
+
is_warning = false
|
|
2704
|
+
is_feature = false
|
|
2705
|
+
rank = 5
|
|
2706
|
+
revision = "1"
|
|
2707
|
+
date = "June 07 2020"
|
|
2708
|
+
author = "@tylabs"
|
|
2709
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2710
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2711
|
+
desc = "pdf.exploit Corrupted JPEG2000 CVE-2018-4990"
|
|
2712
|
+
mitre = "T1203 T1204.002"
|
|
2713
|
+
strings:
|
|
2714
|
+
$h_hex1 = { 0C6A5020 200D0A87 0A000004 1D6A7032 68000000 16696864 72000000 20000000 200001FF 07000000 0003FC63 6D617000 }
|
|
2715
|
+
condition:
|
|
2716
|
+
$h_hex1
|
|
2702
2717
|
}
|
|
2703
2718
|
|
|
2704
2719
|
|
|
2705
2720
|
rule pdf_exploit_using_jbig2decode_CVE_2009_0658 {
|
|
2706
|
-
|
|
2707
|
-
|
|
2708
|
-
|
|
2709
|
-
|
|
2710
|
-
|
|
2711
|
-
|
|
2712
|
-
|
|
2713
|
-
|
|
2714
|
-
|
|
2715
|
-
|
|
2716
|
-
|
|
2717
|
-
|
|
2718
|
-
|
|
2719
|
-
|
|
2720
|
-
|
|
2721
|
-
|
|
2722
|
-
|
|
2723
|
-
|
|
2721
|
+
meta:
|
|
2722
|
+
is_exploit = true
|
|
2723
|
+
is_warning = false
|
|
2724
|
+
is_feature = false
|
|
2725
|
+
rank = 5
|
|
2726
|
+
revision = "1"
|
|
2727
|
+
date = "July 20 2020"
|
|
2728
|
+
author = "@tylabs"
|
|
2729
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
2730
|
+
copyright = "Copyright 2020 tylabs.com. All rights reserved."
|
|
2731
|
+
desc = "pdf.exploit using JBIG2Decode CVE-2009-0658"
|
|
2732
|
+
mitre = "T1203 T1204.002"
|
|
2733
|
+
url = "https://www.exploit-db.com/exploits/8099"
|
|
2734
|
+
strings:
|
|
2735
|
+
$h_raw1 = "JBIG2Decode" nocase
|
|
2736
|
+
$h_raw2 = "Decode [ 1 0 ]"
|
|
2737
|
+
$h_raw3 = "ABCD\x13"
|
|
2738
|
+
condition:
|
|
2739
|
+
all of them
|
|
2724
2740
|
}
|
|
2725
2741
|
|
|
2726
2742
|
|
|
2727
2743
|
rule PDF_Containing_JavaScript {
|
|
2728
2744
|
meta:
|
|
2729
2745
|
author = "InQuest Labs"
|
|
2730
|
-
|
|
2746
|
+
description = "This signature detects a PDF file that contains JavaScript. JavaScript can be used to customize PDFs by implementing objects, methods, and properties. While not inherently malicious, embedding JavaScript inside of a PDF is often used for malicious purposes such as malware delivery or exploitation."
|
|
2731
2747
|
created_date = "2022-03-15"
|
|
2732
2748
|
updated_date = "2022-03-15"
|
|
2733
2749
|
blog_reference = "www.sans.org/security-resources/malwarefaq/pdf-overview.php"
|
|
2734
2750
|
labs_reference = "N/A"
|
|
2735
2751
|
labs_pivot = "N/A"
|
|
2736
2752
|
samples = "c82e29dcaed3c71e05449cb9463f3efb7114ea22b6f45b16e09eae32db9f5bef"
|
|
2737
|
-
|
|
2738
|
-
|
|
2739
|
-
|
|
2740
|
-
|
|
2741
|
-
|
|
2742
|
-
|
|
2743
|
-
|
|
2744
|
-
$pdf_tag1 in (0..1024) and ($js_tag1 or $js_tag2)
|
|
2753
|
+
strings:
|
|
2754
|
+
$pdf_tag1 = /\x25\x50\x44\x46\x2d/
|
|
2755
|
+
$js_tag1 = "/JavaScript" fullword
|
|
2756
|
+
$js_tag2 = "/JS" fullword
|
|
2757
|
+
condition:
|
|
2758
|
+
$pdf_tag1 in (0..1024) and ($js_tag1 or $js_tag2)
|
|
2745
2759
|
|
|
2746
2760
|
}
|
|
2747
2761
|
|
|
@@ -2756,7 +2770,7 @@ rule PDF_Launch_Action_EXE {
|
|
|
2756
2770
|
labs_reference = "N/A"
|
|
2757
2771
|
labs_pivot = "N/A"
|
|
2758
2772
|
samples = "cb5e659c4ac93b335c77c9b389d8ef65d8c20ab8b0ad08e5f850cc5055e564c3"
|
|
2759
|
-
|
|
2773
|
+
strings:
|
|
2760
2774
|
|
|
2761
2775
|
/* 8 0 obj
|
|
2762
2776
|
<<
|
|
@@ -2776,30 +2790,28 @@ rule PDF_Launch_Action_EXE {
|
|
|
2776
2790
|
|
|
2777
2791
|
$re1 = /\x2fType[ \t\r\n]*\x2fAction/ nocase wide ascii
|
|
2778
2792
|
$re2 = /obj[^\x3c\x3e]+<<[^\x3e]*\x2fS[ \t\r\n]*\x2fLaunch[^\x3c\x3e]*<<[^\x3e]*\x2fF[ \t\r\n]*\x28[^\x29]+\.exe[^\x29]*\x29/ nocase wide ascii
|
|
2779
|
-
|
|
2780
|
-
|
|
2793
|
+
condition:
|
|
2781
2794
|
($magic01 in (filesize-30 .. filesize) or $magic02 in (0 .. 10)) and all of ($re*)
|
|
2782
|
-
|
|
2783
2795
|
}
|
|
2784
2796
|
|
|
2785
2797
|
|
|
2786
2798
|
rule PDF_Launch_Function {
|
|
2787
2799
|
meta:
|
|
2788
2800
|
author = "InQuest Labs"
|
|
2789
|
-
|
|
2801
|
+
description = "This signature detects the launch function within a PDF file. This function allows a document author to attach an executable file."
|
|
2790
2802
|
created_date = "2022-03-15"
|
|
2791
2803
|
updated_date = "2022-03-15"
|
|
2792
2804
|
blog_reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/PDF-launch-feature-abused-to-carry-zeuszbot/"
|
|
2793
2805
|
labs_reference = "N/A"
|
|
2794
2806
|
labs_pivot = "N/A"
|
|
2795
2807
|
samples = "c2f2d1de6bf973b849725f1069c649ce594a907c1481566c0411faba40943ee5"
|
|
2796
|
-
|
|
2808
|
+
strings:
|
|
2797
2809
|
|
|
2798
|
-
|
|
2799
|
-
|
|
2800
|
-
|
|
2810
|
+
$pdf_header = "%PDF-"
|
|
2811
|
+
$launch = "/Launch" nocase
|
|
2812
|
+
condition:
|
|
2801
2813
|
|
|
2802
|
-
|
|
2814
|
+
$pdf_header in (0..1024) and $launch
|
|
2803
2815
|
|
|
2804
2816
|
}
|
|
2805
2817
|
|
|
@@ -2815,16 +2827,16 @@ rule PDF_with_Embedded_RTF_OLE_Newlines {
|
|
|
2815
2827
|
labs_pivot = "N/A"
|
|
2816
2828
|
samples = "d784c53b8387f1e2f1bcb56a3604a37b431638642e692540ebeaeee48c1f1a07"
|
|
2817
2829
|
|
|
2818
|
-
|
|
2819
|
-
|
|
2830
|
+
strings:
|
|
2831
|
+
$rtf_magic = "{\\rt" // note that {\rtf1 is not required
|
|
2820
2832
|
|
|
2821
2833
|
$rtf_objdata = /\x7b[^\x7d]*\\objdata/ nocase
|
|
2822
2834
|
|
|
2823
2835
|
$nor = "D0CF11E0A1B11AE1" nocase
|
|
2824
2836
|
|
|
2825
2837
|
$obs = /D[ \r\t\n]*0[ \r\t\n]*C[ \r\t\n]*F[ \r\t\n]*1[ \r\t\n]*1[ \r\t\n]*E[ \r\t\n]*0[ \r\t\n]*A[ \r\t\n]*1[ \r\t\n]*B[ \r\t\n]*1[ \r\t\n]*1[ \r\t\n]*A[ \r\t\n]*E[ \r\t\n]*1/ nocase
|
|
2826
|
-
|
|
2827
|
-
|
|
2838
|
+
condition:
|
|
2839
|
+
$rtf_magic and $rtf_objdata and ($obs and not $nor)
|
|
2828
2840
|
}
|
|
2829
2841
|
|
|
2830
2842
|
|
|
@@ -2838,11 +2850,11 @@ rule PDF_with_Launch_Action_Function {
|
|
|
2838
2850
|
labs_reference = "N/A"
|
|
2839
2851
|
labs_pivot = "N/A"
|
|
2840
2852
|
samples = "a9fbb50dedfd84e1f4a3507d45b1b16baa43123f5ae98dae6aa9a5bebeb956a8"
|
|
2841
|
-
|
|
2842
|
-
|
|
2843
|
-
|
|
2844
|
-
|
|
2845
|
-
|
|
2853
|
+
strings:
|
|
2854
|
+
$pdf_header = "%PDF-"
|
|
2855
|
+
$a = "<</S/Launch/Type/Action/Win<</F"
|
|
2856
|
+
condition:
|
|
2857
|
+
$pdf_header in (0..1024) and $a
|
|
2846
2858
|
}
|
|
2847
2859
|
|
|
2848
2860
|
|
|
@@ -2994,3 +3006,67 @@ rule apt_apt29_wineloader_malicious_pdf {
|
|
|
2994
3006
|
uint32be(0) == 0x25504446 and
|
|
2995
3007
|
$s2 in (@s1..@s3) and $s4
|
|
2996
3008
|
}
|
|
3009
|
+
|
|
3010
|
+
|
|
3011
|
+
rule Malicious_PDF_Detector {
|
|
3012
|
+
meta:
|
|
3013
|
+
description = "Detects malicious PDF files Stage 1"
|
|
3014
|
+
author = "TangerangKota-CSIRT - nauliajati@tangerangkota.go.id & Mr. Naeem"
|
|
3015
|
+
date = "2025-05-19"
|
|
3016
|
+
version = "1.1"
|
|
3017
|
+
reference = "https://attack.mitre.org/techniques/T1203/"
|
|
3018
|
+
strings:
|
|
3019
|
+
$pdf_magic = { 25 50 44 46 2D }
|
|
3020
|
+
$aa = "/AA" ascii nocase
|
|
3021
|
+
$embedded = "/EmbeddedFile" ascii nocase
|
|
3022
|
+
$endobj = "endobj" ascii
|
|
3023
|
+
$js = "/JavaScript" ascii nocase
|
|
3024
|
+
$js2 = "/JS" ascii nocase
|
|
3025
|
+
$launch = "/Launch" ascii nocase
|
|
3026
|
+
$obj = "obj" ascii
|
|
3027
|
+
$open_action = "/OpenAction" ascii nocase
|
|
3028
|
+
$richmedia = "/RichMedia" ascii nocase
|
|
3029
|
+
$submit = "/SubmitForm" ascii nocase
|
|
3030
|
+
condition:
|
|
3031
|
+
$pdf_magic at 0 and
|
|
3032
|
+
3 of ($js, $js2, $open_action, $aa, $launch, $submit, $richmedia, $embedded) and
|
|
3033
|
+
#obj > 5 and #endobj > 5
|
|
3034
|
+
}
|
|
3035
|
+
|
|
3036
|
+
|
|
3037
|
+
rule Ransom_MSIL_JigsawLocker_PB_MTB{
|
|
3038
|
+
meta:
|
|
3039
|
+
description = "Ransom:MSIL/JigsawLocker.PB!MTB,SIGNATURE_TYPE_PEHSTR_EXT,03 00 03 00 03 00 00 "
|
|
3040
|
+
strings :
|
|
3041
|
+
$a_01_0 = {42 69 74 63 6f 69 6e 53 74 65 61 6c 65 72 2e 65 78 65 } //1 BitcoinStealer.exe
|
|
3042
|
+
$a_01_1 = {4e 00 69 00 74 00 72 00 6f 00 20 00 50 00 44 00 46 00 } //1 Nitro PDF
|
|
3043
|
+
$a_01_2 = {50 00 72 00 69 00 6d 00 6f 00 50 00 44 00 46 00 2e 00 65 00 78 00 65 00 } //1 PrimoPDF.exe
|
|
3044
|
+
condition:
|
|
3045
|
+
((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1) >=3
|
|
3046
|
+
}
|
|
3047
|
+
|
|
3048
|
+
|
|
3049
|
+
rule pdf_exploit_CVE_2023_21608 {
|
|
3050
|
+
meta:
|
|
3051
|
+
is_exploit = true
|
|
3052
|
+
is_warning = false
|
|
3053
|
+
is_feature = false
|
|
3054
|
+
rank = 5
|
|
3055
|
+
revision = "1"
|
|
3056
|
+
date = "April 12 2025"
|
|
3057
|
+
author = "@tylabs"
|
|
3058
|
+
sigtype = "pdfexaminer_obfuscation"
|
|
3059
|
+
copyright = "Copyright 2025 tylabs.com. All rights reserved."
|
|
3060
|
+
desc = "pdf.exploit Use-After-Free Vulnerability CVE-2023-21608"
|
|
3061
|
+
mitre = "T1203 T1204.002"
|
|
3062
|
+
url = "https://github.com/hacksysteam/CVE-2023-21608"
|
|
3063
|
+
strings:
|
|
3064
|
+
$s1 = "setAction(\"Calculate\"" nocase
|
|
3065
|
+
$s2 = "defineProperty(this" nocase
|
|
3066
|
+
$s3 = "this.resetForm()" nocase
|
|
3067
|
+
$s4 = "event.__defineGetter__(" nocase
|
|
3068
|
+
$s5 = "event.richValue" nocase
|
|
3069
|
+
$s6 = "Object.defineProperty(" nocase
|
|
3070
|
+
condition:
|
|
3071
|
+
3 of them
|
|
3072
|
+
}
|