pdfalyzer 1.16.7__py3-none-any.whl → 1.16.9__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pdfalyzer might be problematic. Click here for more details.

Files changed (9) hide show
  1. CHANGELOG.md +8 -0
  2. pdfalyzer/yara_rules/PDF.yara +475 -422
  3. pdfalyzer/yara_rules/PDF_binary_stream.yara +5 -5
  4. pdfalyzer/yara_rules/pdf_malware.yara +1884 -1808
  5. {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.9.dist-info}/METADATA +6 -6
  6. {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.9.dist-info}/RECORD +9 -9
  7. {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.9.dist-info}/LICENSE +0 -0
  8. {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.9.dist-info}/WHEEL +0 -0
  9. {pdfalyzer-1.16.7.dist-info → pdfalyzer-1.16.9.dist-info}/entry_points.txt +0 -0
pdfalyzer/yara_rules/PDF.yara CHANGED
@@ -35,14 +35,14 @@ rule Cobaltgang_PDF_Metadata_Rev_A {
35
35
 
36
36
 
37
37
  rule PDF_Embedded_Exe : PDF {
38
- meta:
39
- ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"
40
- strings:
41
- $header = {25 50 44 46}
42
- $Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46}
38
+ meta:
39
+ ref = "https://github.com/jacobsoo/Yara-Rules/blob/master/PDF_Embedded_Exe.yar"
40
+ strings:
41
+ $header = {25 50 44 46}
42
+ $Launch_Action = {3C 3C 2F 53 2F 4C 61 75 6E 63 68 2F 54 79 70 65 2F 41 63 74 69 6F 6E 2F 57 69 6E 3C 3C 2F 46}
43
43
  $exe = {3C 3C 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 73}
44
44
  condition:
45
- $header at 0 and $Launch_Action and $exe
45
+ $header at 0 and $Launch_Action and $exe
46
46
  }
47
47
 
48
48
 
@@ -63,117 +63,117 @@ rule SUSP_Bad_PDF {
63
63
 
64
64
 
65
65
  rule malicious_author : PDF {
66
- meta:
67
- author = "Glenn Edwards (@hiddenillusion)"
68
- version = "0.1"
69
- weight = 5
66
+ meta:
67
+ author = "Glenn Edwards (@hiddenillusion)"
68
+ version = "0.1"
69
+ weight = 5
70
70
 
71
- strings:
72
- $magic = { 25 50 44 46 }
73
- $reg0 = /Creator.?\(yen vaw\)/
74
- $reg1 = /Title.?\(who cis\)/
75
- $reg2 = /Author.?\(ser pes\)/
76
- condition:
77
- $magic in (0..1024) and all of ($reg*)
71
+ strings:
72
+ $magic = { 25 50 44 46 }
73
+ $reg0 = /Creator.?\(yen vaw\)/
74
+ $reg1 = /Title.?\(who cis\)/
75
+ $reg2 = /Author.?\(ser pes\)/
76
+ condition:
77
+ $magic in (0..1024) and all of ($reg*)
78
78
  }
79
79
 
80
80
 
81
81
  rule suspicious_version : PDF {
82
- meta:
83
- author = "Glenn Edwards (@hiddenillusion)"
84
- version = "0.1"
85
- weight = 3
82
+ meta:
83
+ author = "Glenn Edwards (@hiddenillusion)"
84
+ version = "0.1"
85
+ weight = 3
86
86
 
87
- strings:
88
- $magic = { 25 50 44 46 }
89
- $ver = /%PDF-1.\d{1}/
90
- condition:
91
- $magic in (0..1024) and not $ver
87
+ strings:
88
+ $magic = { 25 50 44 46 }
89
+ $ver = /%PDF-1.\d{1}/
90
+ condition:
91
+ $magic in (0..1024) and not $ver
92
92
  }
93
93
 
94
94
 
95
95
  rule suspicious_creation : PDF {
96
- meta:
97
- author = "Glenn Edwards (@hiddenillusion)"
98
- version = "0.1"
99
- weight = 2
96
+ meta:
97
+ author = "Glenn Edwards (@hiddenillusion)"
98
+ version = "0.1"
99
+ weight = 2
100
100
 
101
- strings:
102
- $magic = { 25 50 44 46 }
103
- $header = /%PDF-1\.(3|4|6)/
104
- $create0 = /CreationDate \(D:20101015142358\)/
105
- $create1 = /CreationDate \(2008312053854\)/
106
- condition:
107
- $magic in (0..1024) and $header and 1 of ($create*)
101
+ strings:
102
+ $magic = { 25 50 44 46 }
103
+ $header = /%PDF-1\.(3|4|6)/
104
+ $create0 = /CreationDate \(D:20101015142358\)/
105
+ $create1 = /CreationDate \(2008312053854\)/
106
+ condition:
107
+ $magic in (0..1024) and $header and 1 of ($create*)
108
108
  }
109
109
 
110
110
 
111
111
  rule suspicious_title : PDF {
112
- meta:
113
- author = "Glenn Edwards (@hiddenillusion)"
114
- version = "0.1"
115
- weight = 4
112
+ meta:
113
+ author = "Glenn Edwards (@hiddenillusion)"
114
+ version = "0.1"
115
+ weight = 4
116
116
 
117
- strings:
118
- $magic = { 25 50 44 46 }
119
- $header = /%PDF-1\.(3|4|6)/
117
+ strings:
118
+ $magic = { 25 50 44 46 }
119
+ $header = /%PDF-1\.(3|4|6)/
120
120
 
121
- $title0 = "who cis"
122
- $title1 = "P66N7FF"
123
- $title2 = "Fohcirya"
124
- condition:
125
- $magic in (0..1024) and $header and 1 of ($title*)
121
+ $title0 = "who cis"
122
+ $title1 = "P66N7FF"
123
+ $title2 = "Fohcirya"
124
+ condition:
125
+ $magic in (0..1024) and $header and 1 of ($title*)
126
126
  }
127
127
 
128
128
 
129
129
  rule suspicious_author : PDF {
130
- meta:
131
- author = "Glenn Edwards (@hiddenillusion)"
132
- version = "0.1"
133
- weight = 4
130
+ meta:
131
+ author = "Glenn Edwards (@hiddenillusion)"
132
+ version = "0.1"
133
+ weight = 4
134
134
 
135
- strings:
136
- $magic = { 25 50 44 46 }
137
- $header = /%PDF-1\.(3|4|6)/
138
- $author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
139
- $author1 = "ser pes"
140
- $author2 = "Miekiemoes"
141
- $author3 = "Nsarkolke"
142
- condition:
143
- $magic in (0..1024) and $header and 1 of ($author*)
135
+ strings:
136
+ $magic = { 25 50 44 46 }
137
+ $header = /%PDF-1\.(3|4|6)/
138
+ $author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
139
+ $author1 = "ser pes"
140
+ $author2 = "Miekiemoes"
141
+ $author3 = "Nsarkolke"
142
+ condition:
143
+ $magic in (0..1024) and $header and 1 of ($author*)
144
144
  }
145
145
 
146
146
 
147
147
  rule suspicious_producer : PDF {
148
- meta:
149
- author = "Glenn Edwards (@hiddenillusion)"
150
- version = "0.1"
151
- weight = 2
148
+ meta:
149
+ author = "Glenn Edwards (@hiddenillusion)"
150
+ version = "0.1"
151
+ weight = 2
152
152
 
153
- strings:
154
- $magic = { 25 50 44 46 }
155
- $header = /%PDF-1\.(3|4|6)/
153
+ strings:
154
+ $magic = { 25 50 44 46 }
155
+ $header = /%PDF-1\.(3|4|6)/
156
156
 
157
- $producer0 = /Producer \(Scribus PDF Library/
158
- $producer1 = "Notepad"
159
- condition:
160
- $magic in (0..1024) and $header and 1 of ($producer*)
157
+ $producer0 = /Producer \(Scribus PDF Library/
158
+ $producer1 = "Notepad"
159
+ condition:
160
+ $magic in (0..1024) and $header and 1 of ($producer*)
161
161
  }
162
162
 
163
163
 
164
164
  rule suspicious_creator : PDF {
165
- meta:
166
- author = "Glenn Edwards (@hiddenillusion)"
167
- version = "0.1"
168
- weight = 3
169
- strings:
170
- $magic = { 25 50 44 46 }
171
- $header = /%PDF-1\.(3|4|6)/
172
- $creator0 = "yen vaw"
173
- $creator1 = "Scribus"
174
- $creator2 = "Viraciregavi"
175
- condition:
176
- $magic in (0..1024) and $header and 1 of ($creator*)
165
+ meta:
166
+ author = "Glenn Edwards (@hiddenillusion)"
167
+ version = "0.1"
168
+ weight = 3
169
+ strings:
170
+ $magic = { 25 50 44 46 }
171
+ $header = /%PDF-1\.(3|4|6)/
172
+ $creator0 = "yen vaw"
173
+ $creator1 = "Scribus"
174
+ $creator2 = "Viraciregavi"
175
+ condition:
176
+ $magic in (0..1024) and $header and 1 of ($creator*)
177
177
  }
178
178
 
179
179
 
@@ -211,89 +211,89 @@ rule multiple_filtering : PDF {
211
211
 
212
212
 
213
213
  rule suspicious_launch_action : PDF {
214
- meta:
215
- author = "Glenn Edwards (@hiddenillusion)"
216
- version = "0.1"
217
- weight = 2
218
- strings:
219
- $magic = { 25 50 44 46 }
220
- $attrib0 = /\/Launch/
221
- $attrib1 = /\/URL /
222
- $attrib2 = /\/Action/
223
- $attrib3 = /\/F /
224
- condition:
225
- $magic in (0..1024) and 3 of ($attrib*)
214
+ meta:
215
+ author = "Glenn Edwards (@hiddenillusion)"
216
+ version = "0.1"
217
+ weight = 2
218
+ strings:
219
+ $magic = { 25 50 44 46 }
220
+ $attrib0 = /\/Launch/
221
+ $attrib1 = /\/URL /
222
+ $attrib2 = /\/Action/
223
+ $attrib3 = /\/F /
224
+ condition:
225
+ $magic in (0..1024) and 3 of ($attrib*)
226
226
  }
227
227
 
228
228
 
229
229
  rule suspicious_embed : PDF {
230
- meta:
231
- author = "Glenn Edwards (@hiddenillusion)"
232
- version = "0.1"
233
- ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
234
- weight = 2
235
- strings:
236
- $magic = { 25 50 44 46 }
237
- $meth0 = /\/Launch/
238
- $meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
239
- $attrib0 = /\/URL /
240
- $attrib1 = /\/Action/
241
- $attrib2 = /\/Filespec/
242
- condition:
243
- $magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*)
230
+ meta:
231
+ author = "Glenn Edwards (@hiddenillusion)"
232
+ version = "0.1"
233
+ ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
234
+ weight = 2
235
+ strings:
236
+ $magic = { 25 50 44 46 }
237
+ $meth0 = /\/Launch/
238
+ $meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
239
+ $attrib0 = /\/URL /
240
+ $attrib1 = /\/Action/
241
+ $attrib2 = /\/Filespec/
242
+ condition:
243
+ $magic in (0..1024) and 1 of ($meth*) and 2 of ($attrib*)
244
244
  }
245
245
 
246
246
 
247
247
  rule suspicious_obfuscation : PDF {
248
- meta:
249
- author = "Glenn Edwards (@hiddenillusion)"
250
- version = "0.1"
251
- weight = 2
252
- strings:
253
- $magic = { 25 50 44 46 }
254
- $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
255
- condition:
256
- $magic in (0..1024) and #reg > 5
248
+ meta:
249
+ author = "Glenn Edwards (@hiddenillusion)"
250
+ version = "0.1"
251
+ weight = 2
252
+ strings:
253
+ $magic = { 25 50 44 46 }
254
+ $reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
255
+ condition:
256
+ $magic in (0..1024) and #reg > 5
257
257
  }
258
258
 
259
259
 
260
260
  rule invalid_XObject_js : PDF {
261
- meta:
262
- author = "Glenn Edwards (@hiddenillusion)"
263
- description = "XObject's require v1.4+"
264
- ref = "https://blogs.adobe.com/ReferenceXObjects/"
265
- version = "0.1"
266
- weight = 2
267
- strings:
268
- $magic = { 25 50 44 46 }
269
- $ver = /%PDF-1\.[4-9]/
270
- $attrib0 = /\/XObject/
271
- $attrib1 = /\/JavaScript/
272
- condition:
273
- $magic in (0..1024) and not $ver and all of ($attrib*)
261
+ meta:
262
+ author = "Glenn Edwards (@hiddenillusion)"
263
+ description = "XObject's require v1.4+"
264
+ ref = "https://blogs.adobe.com/ReferenceXObjects/"
265
+ version = "0.1"
266
+ weight = 2
267
+ strings:
268
+ $magic = { 25 50 44 46 }
269
+ $ver = /%PDF-1\.[4-9]/
270
+ $attrib0 = /\/XObject/
271
+ $attrib1 = /\/JavaScript/
272
+ condition:
273
+ $magic in (0..1024) and not $ver and all of ($attrib*)
274
274
  }
275
275
 
276
276
 
277
277
  rule invalid_trailer_structure : PDF {
278
- meta:
279
- author = "Glenn Edwards (@hiddenillusion), @malvidin"
280
- version = "0.2"
281
- weight = 1
278
+ meta:
279
+ author = "Glenn Edwards (@hiddenillusion), @malvidin"
280
+ version = "0.2"
281
+ weight = 1
282
282
  strings:
283
- $magic = "%PDF" // Required for a valid PDF
284
- $reg0 = /trailer[ \r\n]*<<.{0,1000}\/Size\b/s
285
- $reg1 = /\/Root\b.{0,1000}[ \r\n]*.{0,500}startxref[ \r\n]*.{0,500}[ \r\n]*%%EOF/s
286
- condition:
287
- $magic in (0..1024) and not ($reg0 or $reg1)
283
+ $magic = "%PDF" // Required for a valid PDF
284
+ $reg0 = /trailer[ \r\n]*<<.{0,1000}\/Size\b/s
285
+ $reg1 = /\/Root\b.{0,1000}[ \r\n]*.{0,500}startxref[ \r\n]*.{0,500}[ \r\n]*%%EOF/s
286
+ condition:
287
+ $magic in (0..1024) and not ($reg0 or $reg1)
288
288
  }
289
289
 
290
290
 
291
291
  rule multiple_versions : PDF {
292
- meta:
293
- author = "Glenn Edwards (@hiddenillusion)"
294
- version = "0.1"
292
+ meta:
293
+ author = "Glenn Edwards (@hiddenillusion)"
294
+ version = "0.1"
295
295
  description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"
296
- weight = 0
296
+ weight = 0
297
297
 
298
298
  strings:
299
299
  $magic = { 25 50 44 46 }
@@ -305,12 +305,12 @@ rule multiple_versions : PDF {
305
305
 
306
306
 
307
307
  rule js_wrong_version : PDF {
308
- meta:
309
- author = "Glenn Edwards (@hiddenillusion)"
310
- description = "JavaScript was introduced in v1.3"
311
- ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
312
- version = "0.1"
313
- weight = 2
308
+ meta:
309
+ author = "Glenn Edwards (@hiddenillusion)"
310
+ description = "JavaScript was introduced in v1.3"
311
+ ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
312
+ version = "0.1"
313
+ weight = 2
314
314
  strings:
315
315
  $magic = { 25 50 44 46 }
316
316
  $js = /\/JavaScript/
@@ -321,12 +321,12 @@ rule js_wrong_version : PDF {
321
321
 
322
322
 
323
323
  rule JBIG2_wrong_version : PDF {
324
- meta:
325
- author = "Glenn Edwards (@hiddenillusion)"
326
- description = "JBIG2 was introduced in v1.4"
327
- ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
328
- version = "0.1"
329
- weight = 1
324
+ meta:
325
+ author = "Glenn Edwards (@hiddenillusion)"
326
+ description = "JBIG2 was introduced in v1.4"
327
+ ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
328
+ version = "0.1"
329
+ weight = 1
330
330
 
331
331
  strings:
332
332
  $magic = { 25 50 44 46 }
@@ -338,12 +338,12 @@ rule JBIG2_wrong_version : PDF {
338
338
 
339
339
 
340
340
  rule FlateDecode_wrong_version : PDF {
341
- meta:
342
- author = "Glenn Edwards (@hiddenillusion)"
343
- description = "Flate was introduced in v1.2"
344
- ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
345
- version = "0.1"
346
- weight = 1
341
+ meta:
342
+ author = "Glenn Edwards (@hiddenillusion)"
343
+ description = "Flate was introduced in v1.2"
344
+ ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
345
+ version = "0.1"
346
+ weight = 1
347
347
 
348
348
  strings:
349
349
  $magic = { 25 50 44 46 }
@@ -355,12 +355,12 @@ rule FlateDecode_wrong_version : PDF {
355
355
 
356
356
 
357
357
  rule embed_wrong_version : PDF {
358
- meta:
359
- author = "Glenn Edwards (@hiddenillusion)"
360
- description = "EmbeddedFiles were introduced in v1.3"
361
- ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
362
- version = "0.1"
363
- weight = 1
358
+ meta:
359
+ author = "Glenn Edwards (@hiddenillusion)"
360
+ description = "EmbeddedFiles were introduced in v1.3"
361
+ ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
362
+ version = "0.1"
363
+ weight = 1
364
364
  strings:
365
365
  $magic = { 25 50 44 46 }
366
366
  $embed = /\/EmbeddedFiles/
@@ -421,17 +421,17 @@ rule header_evasion : PDF {
421
421
 
422
422
 
423
423
  rule BlackHole_v2 : PDF {
424
- meta:
425
- author = "Glenn Edwards (@hiddenillusion)"
426
- version = "0.1"
427
- ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
428
- weight = 3
424
+ meta:
425
+ author = "Glenn Edwards (@hiddenillusion)"
426
+ version = "0.1"
427
+ ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
428
+ weight = 3
429
429
 
430
- strings:
431
- $magic = { 25 50 44 46 }
432
- $content = "Index[5 1 7 1 9 4 23 4 50"
433
- condition:
434
- $magic in (0..1024) and $content
430
+ strings:
431
+ $magic = { 25 50 44 46 }
432
+ $content = "Index[5 1 7 1 9 4 23 4 50"
433
+ condition:
434
+ $magic in (0..1024) and $content
435
435
  }
436
436
 
437
437
  rule blackhole2_pdf : EK PDF{
@@ -469,19 +469,19 @@ rule blackhole2_pdf : EK PDF{
469
469
  }
470
470
 
471
471
  rule XDP_embedded_PDF : PDF {
472
- meta:
473
- author = "Glenn Edwards (@hiddenillusion)"
474
- version = "0.1"
475
- ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
472
+ meta:
473
+ author = "Glenn Edwards (@hiddenillusion)"
474
+ version = "0.1"
475
+ ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
476
476
  weight = 1
477
- strings:
478
- $s1 = "<pdf xmlns="
479
- $s2 = "<chunk>"
480
- $s3 = "</pdf>"
481
- $header0 = "%PDF"
482
- $header1 = "JVBERi0"
483
- condition:
484
- all of ($s*) and 1 of ($header*)
477
+ strings:
478
+ $s1 = "<pdf xmlns="
479
+ $s2 = "<chunk>"
480
+ $s3 = "</pdf>"
481
+ $header0 = "%PDF"
482
+ $header1 = "JVBERi0"
483
+ condition:
484
+ all of ($s*) and 1 of ($header*)
485
485
  }
486
486
 
487
487
 
@@ -588,11 +588,9 @@ rule APT_APT29_NOBELIUM_BoomBox_PDF_Masq_May21_1 {
588
588
  reference = "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
589
589
  date = "2021-05-27"
590
590
  score = 70
591
-
592
591
  strings:
593
592
  $ah1 = { 25 50 44 46 2d 31 2e 33 0a 25 } /* PDF Header */
594
593
  $af1 = { 0a 25 25 45 4f 46 0a } /* EOF */
595
-
596
594
  $fp1 = "endobj" ascii
597
595
  $fp2 = "endstream" ascii
598
596
  $fp3 = { 20 6F 62 6A 0A } /* obj\x0a */
@@ -615,33 +613,13 @@ rule Adobe_Type_1_Font {
615
613
  project_zero_link = "https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2020/CVE-2020-27930.html"
616
614
  labs_pivot = "N/A"
617
615
  samples = "64f2c43f3d01eae65125024797d5a40d2fdc9c825c7043f928814b85cd8201a2"
618
-
619
- strings:
616
+ strings:
620
617
  $pdf = "%PDF-"
621
618
  $magic_classic = "%!FontType1-1."
622
619
  $magic_next_generation1 = /obj\s*<<[^>]*\/Type\s*\/Font[^>]*\/Subtype\s*\/Type1/
623
620
  $magic_next_generation2 = /obj\s*<<[^>]*\/Subtype\s*\/Type1[^>]*\/Type\s*\/Font/
624
- condition:
625
- $magic_classic in (0..1024) or ($pdf in (0..1024) and any of ($magic_next_generation*))
626
- }
627
-
628
-
629
- rule PDF_Containing_JavaScript {
630
- meta:
631
- author = "InQuest Labs"
632
- description = "This signature detects a PDF file that contains JavaScript. JavaScript can be used to customize PDFs by implementing objects, methods, and properties. While not inherently malicious, embedding JavaScript inside of a PDF is often used for malicious purposes such as malware delivery or exploitation."
633
- created_date = "2022-03-15"
634
- updated_date = "2022-03-15"
635
- blog_reference = "www.sans.org/security-resources/malwarefaq/pdf-overview.php"
636
- labs_reference = "N/A"
637
- labs_pivot = "N/A"
638
- samples = "c82e29dcaed3c71e05449cb9463f3efb7114ea22b6f45b16e09eae32db9f5bef"
639
- strings:
640
- $pdf_tag1 = /\x25\x50\x44\x46\x2d/
641
- $js_tag1 = "/JavaScript" fullword
642
- $js_tag2 = "/JS" fullword
643
- condition:
644
- $pdf_tag1 in (0..1024) and ($js_tag1 or $js_tag2)
621
+ condition:
622
+ $magic_classic in (0..1024) or ($pdf in (0..1024) and any of ($magic_next_generation*))
645
623
  }
646
624
 
647
625
 
@@ -655,90 +633,18 @@ rule JS_PDF_Data_Submission {
655
633
  labs_reference = "N/A"
656
634
  labs_pivot = "N/A"
657
635
  samples = "a0adbe66e11bdeaf880b81b41cd63964084084a413069389364c98da0c4d2a13"
658
- strings:
636
+ strings:
659
637
  $pdf_header = "%PDF-"
660
638
  $js = /(\/JS|\/JavaScript)/ nocase
661
639
  $a1 = /app\s*\.\s*doc\s*\.\s*submitForm\s*\(\s*['"]http/ nocase
662
640
  $inq_tail = "INQUEST-PP=pdfparser"
663
- condition:
641
+ condition:
664
642
  ($pdf_header in (0..1024) or $inq_tail in (filesize-30..filesize))
665
643
  and $js
666
644
  and $a1
667
645
  }
668
646
 
669
647
 
670
- rule PDF_Launch_Action_EXE {
671
- meta:
672
- author = "InQuest Labs"
673
- description = "This signature detects PDF files that launch an executable upon being opened on a host machine. This action is performed by the Launch Action feature available in the PDF file format and is commonly abused by threat actors to execute delivered malware."
674
- created_date = "2022-03-15"
675
- updated_date = "2022-03-15"
676
- blog_reference = "InQuest Labs Empirical Observations"
677
- labs_reference = "N/A"
678
- labs_pivot = "N/A"
679
- samples = "cb5e659c4ac93b335c77c9b389d8ef65d8c20ab8b0ad08e5f850cc5055e564c3"
680
-
681
- strings:
682
- /* 8 0 obj
683
- <<
684
- /Type /Action
685
- /S /Launch
686
- /Win
687
- <<
688
- /F (cmd.exe)
689
- >>
690
- >>
691
- endobj
692
- */
693
- $magic01 = "INQUEST-PP=pdfparser"
694
- $magic02 = "%PDF"
695
-
696
- $re1 = /\x2fType[ \t\r\n]*\x2fAction/ nocase wide ascii
697
- $re2 = /obj[^\x3c\x3e]+<<[^\x3e]*\x2fS[ \t\r\n]*\x2fLaunch[^\x3c\x3e]*<<[^\x3e]*\x2fF[ \t\r\n]*\x28[^\x29]+\.exe[^\x29]*\x29/ nocase wide ascii
698
- condition:
699
- ($magic01 in (filesize-30 .. filesize) or $magic02 in (0 .. 10)) and all of ($re*)
700
- }
701
-
702
-
703
- rule PDF_Launch_Function {
704
- meta:
705
- author = "InQuest Labs"
706
- description = "This signature detects the launch function within a PDF file. This function allows a document author to attach an executable file."
707
- created_date = "2022-03-15"
708
- updated_date = "2022-03-15"
709
- blog_reference = "http://blog.trendmicro.com/trendlabs-security-intelligence/PDF-launch-feature-abused-to-carry-zeuszbot/"
710
- labs_reference = "N/A"
711
- labs_pivot = "N/A"
712
- samples = "c2f2d1de6bf973b849725f1069c649ce594a907c1481566c0411faba40943ee5"
713
- strings:
714
- $pdf_header = "%PDF-"
715
- $launch = "/Launch" nocase
716
- condition:
717
- $pdf_header in (0..1024) and $launch
718
-
719
- }
720
-
721
-
722
- rule PDF_with_Embedded_RTF_OLE_Newlines {
723
- meta:
724
- author = "InQuest Labs"
725
- description = "This signature detects suspicious PDF files embedded with RTF files that contain embedded OLE content that injects newlines into embedded OLE contents as a means of payload obfuscation and detection evasion."
726
- created_date = "2022-03-15"
727
- updated_date = "2022-03-15"
728
- blog_reference = "InQuest Internal Research"
729
- labs_reference = "N/A"
730
- labs_pivot = "N/A"
731
- samples = "d784c53b8387f1e2f1bcb56a3604a37b431638642e692540ebeaeee48c1f1a07"
732
-
733
- strings:
734
- $rtf_magic = "{\\rt" // note that {\rtf1 is not required
735
- $rtf_objdata = /\x7b[^\x7d]*\\objdata/ nocase
736
- $nor = "D0CF11E0A1B11AE1" nocase
737
- $obs = /D[ \r\t\n]*0[ \r\t\n]*C[ \r\t\n]*F[ \r\t\n]*1[ \r\t\n]*1[ \r\t\n]*E[ \r\t\n]*0[ \r\t\n]*A[ \r\t\n]*1[ \r\t\n]*B[ \r\t\n]*1[ \r\t\n]*1[ \r\t\n]*A[ \r\t\n]*E[ \r\t\n]*1/ nocase
738
- condition:
739
- $rtf_magic and $rtf_objdata and ($obs and not $nor)
740
- }
741
-
742
648
  /*
743
649
  This signature detects Adobe PDF files that reference a remote UNC object for the purpose of leaking NTLM hashes.
744
650
  New methods for NTLM hash leaks are discovered from time to time. This particular one is triggered upon opening of a
@@ -786,8 +692,6 @@ example three:
786
692
 
787
693
  Multiple protocols supported for the /F include, both http and UNC.
788
694
  */
789
-
790
-
791
695
  rule NTLM_Credential_Theft_via_PDF {
792
696
  meta:
793
697
  Author = "InQuest Labs"
@@ -803,24 +707,6 @@ rule NTLM_Credential_Theft_via_PDF {
803
707
  }
804
708
 
805
709
 
806
- rule PDF_with_Launch_Action_Function {
807
- meta:
808
- author = "InQuest Labs"
809
- description = "This signature detects the launch function within a PDF file. This function allows the document author to attach an executable file."
810
- created_date = "2022-03-15"
811
- updated_date = "2022-03-15"
812
- blog_reference = "http://blog.didierstevens.com/2010/03/29/escape-from-pdf/"
813
- labs_reference = "N/A"
814
- labs_pivot = "N/A"
815
- samples = "a9fbb50dedfd84e1f4a3507d45b1b16baa43123f5ae98dae6aa9a5bebeb956a8"
816
- strings:
817
- $pdf_header = "%PDF-"
818
- $a = "<</S/Launch/Type/Action/Win<</F"
819
- condition:
820
- $pdf_header in (0..1024) and $a
821
- }
822
-
823
-
824
710
  rule PDF_JS_guillemet_close_in_Adobe_Type1_font {
825
711
  meta:
826
712
  author = "Michel de Cryptadamus"
@@ -831,10 +717,10 @@ rule PDF_JS_guillemet_close_in_Adobe_Type1_font {
831
717
  breach_description = "https://cryptadamus.substack.com/p/the-hack-at-the-end-of-the-universe"
832
718
  samples = "61d47fbfe855446d77c7da74b0b3d23dbcee4e4e48065a397bbf09a7988f596e"
833
719
  in_the_wild = true
834
- strings:
720
+ strings:
835
721
  // "/FJS`\xbb`"
836
- $url_js_backtick_close_obj = {2F 46 4A 53 60 BB 60}
837
- condition:
722
+ $url_js_backtick_close_obj = {2F 46 4A 53 60 BB 60}
723
+ condition:
838
724
  $url_js_backtick_close_obj and Adobe_Type_1_Font
839
725
  }
840
726
 
@@ -1098,52 +984,52 @@ rule HKTL_EmbeddedPDF {
1098
984
 
1099
985
 
1100
986
  rule suspicious_js {
1101
- meta:
987
+ meta:
1102
988
  severity = 6
1103
989
  type = "pdf"
1104
- author = "Glenn Edwards (@hiddenillusion)"
1105
- version = "0.1"
1106
- weight = 3
1107
- description = "possible exploit"
990
+ author = "Glenn Edwards (@hiddenillusion)"
991
+ version = "0.1"
992
+ weight = 3
993
+ description = "possible exploit"
1108
994
  reference = "https://github.com/a232319779/mmpi/blob/master/mmpi/data/yara/pdf/pdf.yara"
1109
- strings:
1110
- $magic = { 25 50 44 46 }
1111
- $attrib0 = /\/OpenAction /
1112
- $attrib1 = /\/JavaScript /
1113
- $js0 = "eval"
1114
- $js1 = "Array"
1115
- $js2 = "String.fromCharCode"
1116
- condition:
1117
- $magic at 0 and all of ($attrib*) and 2 of ($js*)
995
+ strings:
996
+ $magic = { 25 50 44 46 }
997
+ $attrib0 = /\/OpenAction /
998
+ $attrib1 = /\/JavaScript /
999
+ $js0 = "eval"
1000
+ $js1 = "Array"
1001
+ $js2 = "String.fromCharCode"
1002
+ condition:
1003
+ $magic at 0 and all of ($attrib*) and 2 of ($js*)
1118
1004
  }
1119
1005
 
1120
1006
 
1121
1007
  rule possible_exploit {
1122
- meta:
1008
+ meta:
1123
1009
  severity = 9
1124
1010
  type = "pdf"
1125
- author = "Glenn Edwards (@hiddenillusion)"
1126
- version = "0.1"
1127
- weight = 3
1128
- url = "https://github.com/hiddenillusion/AnalyzePDF/blob/master/pdf_rules.yara"
1011
+ author = "Glenn Edwards (@hiddenillusion)"
1012
+ version = "0.1"
1013
+ weight = 3
1014
+ url = "https://github.com/hiddenillusion/AnalyzePDF/blob/master/pdf_rules.yara"
1129
1015
  description = "possible exploit"
1130
1016
  reference = "https://github.com/a232319779/mmpi/blob/master/mmpi/data/yara/pdf/pdf.yara"
1131
- strings:
1132
- $magic = { 25 50 44 46 }
1017
+ strings:
1018
+ $magic = { 25 50 44 46 }
1133
1019
 
1134
- $attrib0 = /\/JavaScript /
1135
- $attrib3 = /\/ASCIIHexDecode/
1136
- $attrib4 = /\/ASCII85Decode/
1020
+ $attrib0 = /\/JavaScript /
1021
+ $attrib3 = /\/ASCIIHexDecode/
1022
+ $attrib4 = /\/ASCII85Decode/
1137
1023
 
1138
- $action0 = /\/Action/
1139
- $action1 = "Array"
1140
- $shell = "A"
1141
- $cond0 = "unescape"
1142
- $cond1 = "String.fromCharCode"
1024
+ $action0 = /\/Action/
1025
+ $action1 = "Array"
1026
+ $shell = "A"
1027
+ $cond0 = "unescape"
1028
+ $cond1 = "String.fromCharCode"
1143
1029
 
1144
- $nop = "%u9090%u9090"
1145
- condition:
1146
- $magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
1030
+ $nop = "%u9090%u9090"
1031
+ condition:
1032
+ $magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
1147
1033
  }
1148
1034
 
1149
1035
 
@@ -1262,7 +1148,7 @@ rule Detect_URLs {
1262
1148
 
1263
1149
  rule Detect_PDF_Embedded_Files {
1264
1150
  meta:
1265
- atk_type = "Macro"
1151
+ atk_type = "Macro"
1266
1152
  description = "Detects embedded files in PDF files"
1267
1153
  author = "groommang"
1268
1154
  date = "2024-06-25"
@@ -1276,7 +1162,7 @@ rule Detect_PDF_Embedded_Files {
1276
1162
 
1277
1163
  rule Detect_PDF_Suspicious_AcroForms {
1278
1164
  meta:
1279
- atk_type = "Macro"
1165
+ atk_type = "Macro"
1280
1166
  description = "Detects suspicious AcroForms in PDF files"
1281
1167
  author = "groommang"
1282
1168
  date = "2024-06-25"
@@ -1290,24 +1176,24 @@ rule Detect_PDF_Suspicious_AcroForms {
1290
1176
 
1291
1177
  rule oAuth_Phishing_PDF {
1292
1178
  meta:
1179
+ description = "Identifies potential phishing PDFs that target oAuth."
1293
1180
  id = "789YmThaTvLDaE1V2Oqx7q"
1294
1181
  fingerprint = "c367bca866de0b066e291b4e45216cbb68cc23297b002a29ca3c8d640a7db78e"
1295
1182
  version = "1.0"
1296
1183
  creation_date = "2022-01-01"
1297
1184
  first_imported = "2022-02-03"
1298
- last_modified = "2022-02-03"
1185
+ last_modified = "2025-03-10"
1299
1186
  status = "RELEASED"
1300
1187
  sharing = "TLP:WHITE"
1301
1188
  source = "BARTBLAZE"
1302
1189
  author = "@bartblaze"
1303
- description = "Identifies potential phishing PDFs that target oAuth."
1304
1190
  category = "MALWARE"
1305
1191
  reference = "https://twitter.com/ffforward/status/1484127442679836676"
1306
1192
  strings:
1307
1193
  $pdf = {25504446} //%PDF
1308
- $s1 = "/URI (https://login.microsoftonline.com/common/oauth2/" ascii wide nocase
1309
- $s2 = "/URI (https://login.microsoftonline.com/consumers/oauth2" ascii wide nocase
1310
- $s3 = "/URI (https://accounts.google.com/o/oauth2" ascii wide nocase
1194
+ $s1 = "/URI (https://login.microsoftonline.com/common/oauth2/" nocase
1195
+ $s2 = "/URI (https://login.microsoftonline.com/consumers/oauth2" nocase
1196
+ $s3 = "/URI (https://accounts.google.com/o/oauth2" nocase
1311
1197
  condition:
1312
1198
  $pdf at 0 and any of ($s*)
1313
1199
  }
@@ -1316,18 +1202,18 @@ rule oAuth_Phishing_PDF {
1316
1202
  rule Adobe_XMP_Identifier {
1317
1203
  meta:
1318
1204
  author = "InQuest Labs"
1319
- description = "This signature identifies Adobe Extensible Metadata Platform (XMP) identifiers embedded within files. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. These identifiers can be used to track both malicious and benign graphics within common Microsoft and Adobe document lures."
1205
+ description = "This signature identifies Adobe Extensible Metadata Platform (XMP) identifiers embedded within files. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. These identifiers can be used to track both malicious and benign graphics within common Microsoft and Adobe document lures."
1320
1206
  created_date = "2022-03-15"
1321
1207
  updated_date = "2022-03-15"
1322
1208
  blog_reference = "http://wwwimages.adobe.com/content/dam/acom/en/products/xmp/Pdfs/XMPAssetRelationships.pdf"
1323
1209
  labs_reference = "https://labs.inquest.net/dfi/sha256/1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
1324
1210
  labs_pivot = "https://labs.inquest.net/dfi/search/ioc/xmpid/xmp.did%3AEDC9411A6A5F11E2838BB9184F90E845##eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ=="
1325
1211
  samples = "1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
1326
- strings:
1212
+ strings:
1327
1213
  $xmp_md5 = /xmp\.[dio]id[-: _][a-f0-9]{32}/ nocase ascii wide
1328
1214
  $xmp_guid = /xmp\.[dio]id[-: _][a-f0-9]{36}/ nocase ascii wide
1329
- condition:
1330
- any of them
1215
+ condition:
1216
+ any of them
1331
1217
  }
1332
1218
 
1333
1219
 
@@ -1417,57 +1303,57 @@ rule pdf_fake_password {
1417
1303
 
1418
1304
 
1419
1305
  rule pdf_mal_script {
1420
- strings:
1421
- $magic = { 25 50 44 46 }
1422
- $action0 = "<</S/Launch/Type/Action/Win<<" nocase ascii
1423
- $action1 = "/Type/Action>>" nocase ascii
1424
- $action2 = "/OpenAction" nocase ascii
1425
- $action3 = "<< /Type /Action" nocase ascii
1426
- $action4 = "/Type /Action" nocase ascii
1427
- $uri = "/S /URI /Type /Action /URI"
1428
- $launch = "/S /Launch /Win" nocase ascii
1429
- $cmd = "(cmd.exe)" nocase ascii
1430
- $ps = "powershell" nocase ascii
1431
- $pscom0 = "DownloadFile" nocase ascii
1432
- $pscom1 = "payload" nocase ascii
1433
- $homepath = "%HOMEPATH%" nocase ascii
1434
- $start0 = "start" nocase ascii
1435
- $start1 = "startxref" nocase ascii
1436
- $js0 = "<</S/JavaScript/JS" nocase ascii
1437
- $js1 = /\/JS \([^)]+?\\/
1438
- $js2 = "/JavaScript" nocase ascii
1439
- $emb0 = "/EmbeddedFiles" nocase ascii
1440
- $emb1 = "/EmbeddedFile" nocase ascii
1441
- $url0 = "https://shapeupfitnessdkk-my.sharepoint.com/:b:/g/personal/michelle_shapeupfitness_dk/Ebd2GDh2N8JErL23JmMNmw8BQA7JVpGiS_C6TGkERpma4A?e=xBbtrV"
1442
- $url1 = "https://ipfs.io/ipfs/QmSyYCjyTMyo1dM2dWBY6ExTmodmU1oSBWTdmEDTLrEenC#http://www.booking.com/"
1443
- $url2 = "https://romacul.com.br/workshop/wp-content/mail.outlookoffice365.com.html"
1444
- $url3 = "https://www.hitplus.fr/2018/click.php?url=https://cutt.ly/seU8MT6t#F8i_bfW"
1445
- $url4 = "https://etehadshipping.com/"
1446
- $url5 = "https://afarm.net/"
1447
- $url6 = "https://portals.checkfedexexp.com"
1448
- $url7 = "https://otcworldmedia.com"
1449
- $url8 = "http://tiny.cc/"
1450
- $url9 = "http://128.199.7.40/"
1451
- $invoc = "%%Invocation:" nocase ascii
1452
- $op0 = "-sOutputFile=" nocase ascii
1453
- $op1 = "-dNumRenderingThreads=" nocase ascii
1454
- $op2 = "-sDEVICE=" nocase ascii
1455
- $op3 = "-dAutoRotatePages=" nocase ascii
1456
- $script0 = "<script" nocase ascii
1457
- $script1 = "</script>" nocase ascii
1458
- $tag0 = "<event" nocase ascii
1459
- $tag1 = "</event>" nocase ascii
1460
- $event0 = "event.target.exportXFAData" nocase ascii
1461
- $event1 = "activity=" nocase ascii
1462
- condition:
1463
- ($magic at 0 and (8 of them)) or
1464
- ($magic at 0 and ($action0 or $action1 or $action2) and ($cmd or $ps) or ($pscom0 or $pscom1) and ($start0 or $start1) and $launch and $homepath and $js0) or
1465
- ($magic at 0 and ($action2 or $action3) and (1 of ($emb*))) or
1466
- ($magic at 0 and ( 1 of($url*))) or
1467
- ($magic at 0 and $action4 and ($js1 or $js2)) or
1468
- ($magic at 0 and $invoc and (2 of ($op*))) or
1469
- ($magic at 0 and $uri) or
1470
- ($magic at 0 and (2 of ($script*)) and ((2 of($event*)) and (2 of ($tag*))))
1306
+ strings:
1307
+ $magic = { 25 50 44 46 }
1308
+ $action0 = "<</S/Launch/Type/Action/Win<<" nocase ascii
1309
+ $action1 = "/Type/Action>>" nocase ascii
1310
+ $action2 = "/OpenAction" nocase ascii
1311
+ $action3 = "<< /Type /Action" nocase ascii
1312
+ $action4 = "/Type /Action" nocase ascii
1313
+ $uri = "/S /URI /Type /Action /URI"
1314
+ $launch = "/S /Launch /Win" nocase ascii
1315
+ $cmd = "(cmd.exe)" nocase ascii
1316
+ $ps = "powershell" nocase ascii
1317
+ $pscom0 = "DownloadFile" nocase ascii
1318
+ $pscom1 = "payload" nocase ascii
1319
+ $homepath = "%HOMEPATH%" nocase ascii
1320
+ $start0 = "start" nocase ascii
1321
+ $start1 = "startxref" nocase ascii
1322
+ $js0 = "<</S/JavaScript/JS" nocase ascii
1323
+ $js1 = /\/JS \([^)]+?\\/
1324
+ $js2 = "/JavaScript" nocase ascii
1325
+ $emb0 = "/EmbeddedFiles" nocase ascii
1326
+ $emb1 = "/EmbeddedFile" nocase ascii
1327
+ $url0 = "https://shapeupfitnessdkk-my.sharepoint.com/:b:/g/personal/michelle_shapeupfitness_dk/Ebd2GDh2N8JErL23JmMNmw8BQA7JVpGiS_C6TGkERpma4A?e=xBbtrV"
1328
+ $url1 = "https://ipfs.io/ipfs/QmSyYCjyTMyo1dM2dWBY6ExTmodmU1oSBWTdmEDTLrEenC#http://www.booking.com/"
1329
+ $url2 = "https://romacul.com.br/workshop/wp-content/mail.outlookoffice365.com.html"
1330
+ $url3 = "https://www.hitplus.fr/2018/click.php?url=https://cutt.ly/seU8MT6t#F8i_bfW"
1331
+ $url4 = "https://etehadshipping.com/"
1332
+ $url5 = "https://afarm.net/"
1333
+ $url6 = "https://portals.checkfedexexp.com"
1334
+ $url7 = "https://otcworldmedia.com"
1335
+ $url8 = "http://tiny.cc/"
1336
+ $url9 = "http://128.199.7.40/"
1337
+ $invoc = "%%Invocation:" nocase ascii
1338
+ $op0 = "-sOutputFile=" nocase ascii
1339
+ $op1 = "-dNumRenderingThreads=" nocase ascii
1340
+ $op2 = "-sDEVICE=" nocase ascii
1341
+ $op3 = "-dAutoRotatePages=" nocase ascii
1342
+ $script0 = "<script" nocase ascii
1343
+ $script1 = "</script>" nocase ascii
1344
+ $tag0 = "<event" nocase ascii
1345
+ $tag1 = "</event>" nocase ascii
1346
+ $event0 = "event.target.exportXFAData" nocase ascii
1347
+ $event1 = "activity=" nocase ascii
1348
+ condition:
1349
+ ($magic at 0 and (8 of them)) or
1350
+ ($magic at 0 and ($action0 or $action1 or $action2) and ($cmd or $ps) or ($pscom0 or $pscom1) and ($start0 or $start1) and $launch and $homepath and $js0) or
1351
+ ($magic at 0 and ($action2 or $action3) and (1 of ($emb*))) or
1352
+ ($magic at 0 and ( 1 of($url*))) or
1353
+ ($magic at 0 and $action4 and ($js1 or $js2)) or
1354
+ ($magic at 0 and $invoc and (2 of ($op*))) or
1355
+ ($magic at 0 and $uri) or
1356
+ ($magic at 0 and (2 of ($script*)) and ((2 of($event*)) and (2 of ($tag*))))
1471
1357
  }
1472
1358
 
1473
1359
 
@@ -1545,20 +1431,20 @@ rule SPICA__Strings {
1545
1431
 
1546
1432
 
1547
1433
  rule G_Backdoor_TOUGHPROGRESS_LNK_1 {
1548
- meta:
1549
- author = "GTIG"
1550
- date_created = "2025-04-29"
1551
- date_modified = "2025-04-29"
1552
- md5 = "65da1a9026cf171a5a7779bc5ee45fb1"
1553
- rev = 1
1554
- strings:
1555
- $marker = { 4C 00 00 00 }
1556
- $str1 = "rundll32.exe" ascii wide
1557
- $str2 = ".\\image\\7.jpg,plus" wide
1558
- $str3 = "%PDF-1"
1559
- $str4 = "PYL="
1560
- condition:
1561
- $marker at 0 and all of them
1434
+ meta:
1435
+ author = "GTIG"
1436
+ date_created = "2025-04-29"
1437
+ date_modified = "2025-04-29"
1438
+ md5 = "65da1a9026cf171a5a7779bc5ee45fb1"
1439
+ rev = 1
1440
+ strings:
1441
+ $marker = { 4C 00 00 00 }
1442
+ $str1 = "rundll32.exe" ascii wide
1443
+ $str2 = ".\\image\\7.jpg,plus" wide
1444
+ $str3 = "%PDF-1"
1445
+ $str4 = "PYL="
1446
+ condition:
1447
+ $marker at 0 and all of them
1562
1448
  }
1563
1449
 
1564
1450
 
@@ -1804,3 +1690,170 @@ rule PDF_Javascript_Exploit {
1804
1690
  condition:
1805
1691
  $pdf at 0 and (1 of ($js*))
1806
1692
  }
1693
+
1694
+
1695
+ rule Trojan_Win32_Emotet_PDF_MTB{
1696
+ meta:
1697
+ description = "Trojan:Win32/Emotet.PDF!MTB,SIGNATURE_TYPE_PEHSTR_EXT,01 00 01 00 02 00 00 "
1698
+ reference = "https://github.com/roadwy/DefenderYara/blob/63fedb45b4243e50a3f85e9e4e3e45bb6f1a6b6f/Trojan/Win32/Poison/Trojan_Win32_Poison_EM_MTB.yara"
1699
+ strings:
1700
+ $a_02_0 = {0f b6 cb 03 c1 99 b9 ?? ?? ?? ?? f7 f9 8a 5d 00 8d 4c 24 ?? 8a 94 14 ?? ?? ?? ?? 32 da 88 5d 00 } //1
1701
+ $a_81_1 = {72 43 4a 67 43 63 58 4d 77 66 66 32 4f 32 32 57 54 32 7a 39 38 38 73 61 66 59 72 78 55 62 68 46 6f } //1 rCJgCcXMwff2O22WT2z988safYrxUbhFo
1702
+ condition:
1703
+ ((#a_02_0 & 1)*1+(#a_81_1 & 1)*1) >=1
1704
+ }
1705
+
1706
+
1707
+ rule Trojan_Win32_Poison_EM_MTB{
1708
+ meta:
1709
+ description = "Trojan:Win32/Poison.EM!MTB,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
1710
+ reference = "https://github.com/roadwy/DefenderYara/blob/63fedb45b4243e50a3f85e9e4e3e45bb6f1a6b6f/Trojan/Win32/Poison/Trojan_Win32_Poison_EM_MTB.yara"
1711
+ strings :
1712
+ $a_01_0 = {45 5a 45 4c 5c 6e 65 77 73 6c 65 74 74 65 72 5c 56 42 36 } //1 EZEL\newsletter\VB6
1713
+ $a_01_1 = {48 69 63 63 75 70 70 32 } //1 Hiccupp2
1714
+ $a_01_2 = {66 72 75 6d 70 36 } //1 frump6
1715
+ $a_01_3 = {6e 00 73 00 6c 00 74 00 2e 00 70 00 64 00 66 00 } //1 nslt.pdf
1716
+ $a_01_4 = {57 72 69 74 65 50 72 6f 63 65 73 73 4d 65 6d 6f 72 79 } //1 WriteProcessMemory
1717
+ condition:
1718
+ ((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_01_4 & 1)*1) >=5
1719
+ }
1720
+
1721
+
1722
+ rule TrojanSpy_Win32_Shiotob_C{
1723
+ meta:
1724
+ description = "TrojanSpy:Win32/Shiotob.C,SIGNATURE_TYPE_PEHSTR_EXT,05 00 05 00 05 00 00 "
1725
+ strings :
1726
+ $a_01_0 = {5c 42 65 73 74 2e 70 64 66 } //1 \Best.pdf
1727
+ $a_01_1 = {68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 51 00 75 00 6f 00 74 00 69 00 65 00 } //1 http://Quotie
1728
+ $a_01_2 = {6d 00 65 00 61 00 73 00 75 00 72 00 2e 00 54 00 75 00 72 00 6e 00 } //1 measur.Turn
1729
+ $a_01_3 = {2e 00 53 00 69 00 6c 00 65 00 6e 00 74 00 } //1 .Silent
1730
+ $a_03_4 = {6a 00 6a 00 6a 01 6a 00 6a 02 68 00 00 00 40 8d 8d d8 fe ff ff 51 ff 15 ?? ?? ?? ?? 89 45 f0 8b 55 ec 83 ea 1b 81 fa d5 00 00 00 76 17 8b 45 ec 03 05 ?? ?? ?? ?? 0f b7 0d ?? ?? ?? ?? 03 c1 a3 ?? ?? ?? ?? 83 7d f0 ff 74 17 6a 01 6a 00 6a 00 8d 95 d8 fe ff ff 52 6a 00 6a 00 ff 15 } //2
1731
+ condition:
1732
+ ((#a_01_0 & 1)*1+(#a_01_1 & 1)*1+(#a_01_2 & 1)*1+(#a_01_3 & 1)*1+(#a_03_4 & 1)*2) >=5
1733
+ }
1734
+
1735
+
1736
+ rule Kimsuky_Lure_PDF {
1737
+ meta:
1738
+ description = "Detection rule for a PDF file created by Kimsuky / APT43"
1739
+ author = "Alec Dhuse"
1740
+ creation_date = "2025-07-28"
1741
+ updated_date = "2025-07-28"
1742
+ date = "2025-07-28"
1743
+ in_the_wild = true
1744
+ threat_actor = "Kimsuky"
1745
+ hash = "ddf2832cde87548132688b28a27e6b4a0103e7d07fb88a5f10225145daa88926"
1746
+ rule_version = "1.0"
1747
+ strings:
1748
+ $re1 = /<<\s*\/Author\s*\(Raizo\)\s*\/Creator\s*\(þÿ\x00?M\x00?i\x00?c\x00?r\x00?o\x00?s\x00?o\x00?f\x00?t\x00?®\x00?\s+\x00?W\x00?o\x00?r\x00?d\x00?\s+\x00?2\x00?0\x00?1\x00?3\s*\)/
1749
+ condition:
1750
+ $re1
1751
+ }
1752
+
1753
+
1754
+ rule POTENTIAL_RU_APT_LNK_DEC23 {
1755
+ meta:
1756
+ author = "Ryan <@IntelCorgi>"
1757
+ date = "2024-03-20"
1758
+ description = "Decoy LNK drops HTTP shell and fake PDF. Attributed to unknown RU-nexus threat actor."
1759
+ source = "https://blog.cluster25.duskrise.com/2024/01/30/russian-apt-opposition"
1760
+ strings:
1761
+ $s0 = "CiRFcnJvckFjdGlvbl" ascii
1762
+ $s1 = "gci $env:tmp -Name Rar*" ascii wide
1763
+ condition:
1764
+ uint16(0) == 0x004c
1765
+ and filesize < 2MB
1766
+ and any of them
1767
+ }
1768
+
1769
+
1770
+ rule SUS_MSC_Icon_Pdf_Jan25 {
1771
+ meta:
1772
+ description = "Detects MSC with suspicious PDF icon observed in use by APT"
1773
+ note = "Categorising as SUS as unknown if this icon is unique to the actor or generic PDF stored in msc during build. Add other icon sizes for completeness."
1774
+ author = "Matt Green - @mgreen27"
1775
+ hash = "ca0dfda9a329f5729b3ca07c6578b3b6560e7cfaeff8d988d1fe8c9ca6896da5"
1776
+ date = "2025-01-16"
1777
+ strings:
1778
+ $xml = "<?xml"
1779
+ $pdf_console_file_icon_small = "SUwBAQEABAAEABAAEAD/////IQD//////////0JNNgAAAAAAAAA2AAAAKAAAAEAAAAAQAAAAAQAgAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkpGQ/5CQj/+Pjo3/jo2M/4yMiv+Lion/iomH/4iHhv+HhoT/hYWD/4SDgf+DgoD/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJOSkf/7+/r/+/v6//v7+v/7+/r/+/v6//v7+v/7+/r/+/v6//v7+v/7+/r/hIOB/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAC+/xEAzP8RAMv/EQDK/xEAyf8RAMn/EQDI/xEAx/8RAMb/EQDG/xEAxf8QAMT/EADD/xAAw/8QAML/EAC0/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAzf8SAOr/EgDp/xIA6P8SAOf/EgDm/xIA5f8SAOT/EgDj/xIA4v8SAOH/EgDg/xEA3/8RAN7/EQDd/xAAwv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAM7/EgDr//////8SAOn/EgDo/xIA5///////4uD8/9PQ+v9cUOz/EgDi//////8SAOD/EQDf/xEA3v8QAMP/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQDP/xMA7P//////TUDv/yEQ6v8SAOj//////xIA5v9cUO3/4uD8/xIA4///////EgDh/xIA4P8RAN//EADD/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEAz/8TAO3//////6eg+P//////IRDq//////8SAOf/EgDm//Hw/f9NQOv//////8TA+P+YkPL/EgDg/xAAxP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAND/EwDu//////8/MPD/4uD9/1xQ8f//////EgDo/z8w7P//////MCDo//////8SAOP/EgDi/xIA4f8RAMX/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQDR/xMA7////////////8XA+v8hEOz////////////x8P7/enDy/xIA5v///////////8TA+P8SAOL/EQDG/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABEA0v8TAPD/EwDv/xMA7v8TAO3/EwDs/xIA6/8SAOr/EgDp/xIA6P8SAOf/EgDm/xIA5f8SAOT/EgDj/xEAxv8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARAMP/EQDS/xEA0f8RAND/EQDP/xEAz/8RAM7/EQDN/xEAzP8RAMz/EQDL/xEAyv8RAMn/EQDJ/xEAyP8QALn/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChoKD//f39//v6+v/6+vn/+/r5//r5+f/6+fj/+vn4//n49//5+Pf//Pz7/5KRkP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoqKi//39/f+zs7P/s7Oz/7Ozs/+zs7P/s7Oz//r5+P+mpqb/jIyM/4yMjP+TkpH/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKOjo//9/f3/+/v6//v6+v/6+vn/+vn5//r5+P/5+Pj/pqam/+rq6v/c3Nz/mJiX+QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAClpaX//f39//39/f/9/f3//f38//38/P/9/Pz//fz8/6ampv/c3Nz/nZ2c/BwcHDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApqam/6Wlpf+jo6P/oqKi/6GgoP+fn5//np6d/5ycnP+bm5r/nJub+R0dHDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABCTT4AAAAAAAAAPgAAACgAAABAAAAAEAAAAAEAAQAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA////AMADAAAAAAAAwAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAwAAAAAAAMADAAAAAAAAwAMAAAAAAADAAwAAAAAAAMAHAAAAAAAA"
1780
+ condition:
1781
+ $xml at 0 and $pdf_console_file_icon_small
1782
+ }
1783
+
1784
+
1785
+ rule document_with_embedded_executable {
1786
+ meta:
1787
+ author = "Joaquin Villegas"
1788
+ description = "Detects documents with embedded executable content"
1789
+ category = "document"
1790
+ severity = "critical"
1791
+ date = "2025.07.15"
1792
+ strings:
1793
+ // Document headers
1794
+ $pdf_header = "%PDF-"
1795
+ // $ole_header = { D0 CF 11 E0 A1 B1 1A E1 }
1796
+ // $rtf_header = "{\\rtf"
1797
+
1798
+ // Executable headers within document
1799
+ $pe_header = { 4D 5A } // MZ header
1800
+ $elf_header = { 7F 45 4C 46 } // ELF header
1801
+ $macho_header = { FE ED FA CE } // Mach-O header
1802
+
1803
+ // Embedded object indicators
1804
+ $embed1 = "\\objemb" nocase
1805
+ $embed2 = "/EmbeddedFile" nocase
1806
+ $embed3 = "Package" nocase
1807
+ $embed4 = "OLE Object" nocase
1808
+
1809
+ // File streams
1810
+ $stream1 = "\\objdata" nocase
1811
+ $stream2 = "/F " nocase
1812
+ $stream3 = "/Type/EmbeddedFile" nocase
1813
+ condition:
1814
+ $pdf_header at 0
1815
+ and (any of ($pe_header, $elf_header, $macho_header))
1816
+ and (any of ($embed*) or any of ($stream*))
1817
+ }
1818
+
1819
+
1820
+ rule pdf_with_javascript {
1821
+ meta:
1822
+ author = "Joaquin Villegas"
1823
+ description = "Detects PDF files with embedded JavaScript and suspicious content"
1824
+ category = "document"
1825
+ severity = "medium"
1826
+ date = "2025.07.15"
1827
+ strings:
1828
+ // PDF header
1829
+ $pdf_header = "%PDF-"
1830
+ // JavaScript indicators
1831
+ $js1 = "/JavaScript" nocase
1832
+ $js2 = "/JS" nocase
1833
+ $js3 = "/OpenAction" nocase
1834
+ $js4 = "/AA" nocase
1835
+ // Suspicious JavaScript functions
1836
+ $js_func1 = "app.alert" nocase
1837
+ $js_func2 = "this.print" nocase
1838
+ $js_func3 = "app.launchURL" nocase
1839
+ $js_func4 = "this.submitForm" nocase
1840
+ $js_func5 = "app.response" nocase
1841
+ $js_func6 = "this.importDataObject" nocase
1842
+ // Exploit indicators
1843
+ $exploit1 = "unescape" nocase
1844
+ $exploit2 = "eval" nocase
1845
+ $exploit3 = "String.fromCharCode" nocase
1846
+ $exploit4 = "document.write" nocase
1847
+ // Heap spray indicators
1848
+ $heap1 = /\x90{10,}/ // NOP sled
1849
+ $heap2 = /%u9090/ // Unicode NOP
1850
+ $heap3 = /\x0c\x0c\x0c\x0c/ // Heap spray pattern
1851
+ // Form actions
1852
+ $form1 = "/F " nocase
1853
+ $form2 = "/Type/Action" nocase
1854
+ $form3 = "/S/SubmitForm" nocase
1855
+ condition:
1856
+ $pdf_header at 0 and
1857
+ (any of ($js*) or any of ($js_func*)) and
1858
+ (any of ($exploit*) or any of ($heap*) or any of ($form*))
1859
+ }