include "filetypes.yara" /* These string lists generated on the command line by: Author: file ~/samples/all/* | perl -ne 'if(/Author: (.*?), Template:/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq Title: $ file ~/samples/all/* | perl -ne 'if(/Title: (.*?), Author:/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq Last Saved By: $ file ~/samples/all/* | perl -ne 'if(/Last Saved By: (.*?), Revision/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq */ rule OLEAuthor : Author OLEMetadata { meta: description = "Identifier for known OLE document authors" author = "Seth Hardy" last_modified = "2014-05-07" strings: $ = "\x00111\x00\x1e" $ = "\x0011\x00\x1e" $ = "\x00123\x00\x1e" $ = "\x002chu\x00\x1e" $ = "\x007513A3DEA183474\x00\x1e" $ = "\x00abc\x00\x1e" $ = "\x00Administrator\x00\x1e" $ = "\x00admin\x00\x1e" $ = "\x00Aggarwal, Aakash\x00\x1e" $ = "\x00beat\x00\x1e" $ = "\x00Ben\x00\x1e" $ = "\x00bf\x00\x1e" $ = "\x00Booksway\x00\x1e" $ = "\x00Bosh\x00\x1e" $ = "\x00captain\x00\x1e" $ = "\x00CC2\x00\x1e" $ = "\x00cyano\x00\x1e" $ = "\x00Dinesh\x00\x1e" $ = "\x00Dolker\x00\x1e" $ = "\x00Drokpa\x00\x1e" $ = "\x00Findo\x00\x1e" $ = "\x00FLORINE DATESSEN\x00\x1e" $ = "\x00funghain\x00\x1e" $ = "\x00HealthDeptt-01\x00\x1e" $ = "\x00hy9901a\x00\x1e" $ = "\x00IBM User\x00\x1e" $ = "\x00IBM\x00\x1e" $ = "\x00Igny\x00\x1e" $ = "\x00IITK\x00\x1e" $ = "\x00I. K\x00\x1e" $ = "\x00Jamal Al-Masraf\x00\x1e" $ = "\x00Joyce Havinga\x00\x1e" $ = "\x00kalume\x00\x1e" $ = "\x00Karma\x00\x1e" $ = "\x00karmayeshi\x00\x1e" $ = "\x00KChase\x00\x1e" $ = "\x00ken\x00\x1e" $ = "\x00khenrab\x00\x1e" $ = "\x00Kunga Tashi\x00\x1e" $ = "\x00Lenovo User\x00\x1e" $ = "\x00Lenovo\x00\x1e" $ = "\x00lenovo\x00\x1e" $ = "\x00Lharisang\x00\x1e" $ = "\x00Luitgard Hammerer\x00\x1e" $ = "\x00MC SYSTEM\x00\x1e" $ = "\x00mpzhang\x00\x1e" $ = "\x00neuroking\x00\x1e" $ = "\x00Ngawang Gelek\x00\x1e" $ = "\x00niu2\x00\x1e" $ = "\x00Owner\x00\x1e" $ = "\x00pema tashi\x00\x1e" $ = "\x00pepe\x00\x1e" $ = "\x00perhat64\x00\x1e" $ = "\x00Remote\x00\x1e" $ = "\x00ResuR\x00\x1e" $ = "\x00roy\x00\x1e" $ = "\x00Samphel\x00\x1e" $ = "\x00sard\x00\x1e" $ = "\x00shirley\x00\x1e" $ = "\x00shungqar\x00\x1e" $ = "\x00Sofia Olsson\x00\x1e" $ = "\x00Sonam Dolkar\x00\x1e" $ = "\x00Son Huynh Hong\x00\x1e" $ = "\x00system\x00\x1e" $ = "\x00teguete\x00\x1e" $ = "\x00tensangmo\x00\x1e" $ = "\x00tenzin1959\x00\x1e" $ = "\x00Tenzin\x00\x1e" $ = "\x00Tran Duy Linh\x00\x1e" $ = "\x00Traudl\x00\x1e" $ = "\x00Tsedup\x00\x1e" $ = "\x00Tsering Tamding\x00\x1e" $ = "\x00unknown\x00\x1e" $ = "\x00USER\x00\x1e" $ = "\x00User\x00\x1e" $ = "\x00user\x00\x1e" $ = "\x00votoystein\x00\x1e" $ = "\x00walkinnet\x00\x1e" $ = "\x00World Uyghur Congress\x00\x1e" $ = "\x00www\x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00\xf4_y\xb7\x80\x05\x9e\xbf\x00\x1e" $ = "\x00xp\x00\x1e" $ = "\x00YCanPDF\x00\x1e" $ = "\x00y\x00\x1e" $ = "\x00zsh\x00\x1e" condition: IsOLE and (any of them) } rule OLETitle : Title OLEMetadata { meta: description = "Identifier for known OLE document titles" author = "Seth Hardy" last_modified = "2014-05-07" strings: $ = "\x0001:00\x00\x1e" $ = "\x00 23-Aprel chushidin keyin saet bir yirim,Xitayning 3 neper paylaqchisi seriqbuya yezida oy arilap yurup paylaqchiliq qiliwatqanda bir oyge toplann\xcaghan bir gurup uyghur yashlarni korgen we ularning yenida pichaq we tam teshidighan eswablarni korup gum\x00\x1e" $ = "\x0046-120603 fice W648\x00\x1e" $ = "\x0054-120602 15s\xb7K\x0c]\xb7\x00\x1e" $ = "\x005-Iyul Urumchi Qirghinchiliqi heqide qisqiche Dokilat \x00\x1e" $ = "\x00April 20-21, 2013\x00\x1e" $ = "\x00asdfasdfasdf\x00\x1e" $ = "\x00Bamako, le 04 d\x00\x1e" $ = "\x00Best\x00\x1e" $ = "\x00Dear All,\x00\x1e" $ = "\x00Dear President and Executive Members,\x00\x1e" $ = "\x00Full list of self-immolations in Tibet\x00\x1e" $ = "\x00Help stop the destruction of my home, Lhasa, Tibet\x00\x1e" $ = "\x00HHDL'visit in European\x00\x1e" $ = "\x00II) Overview & Analysis:\x00\x1e" $ = "\x00Institute for Defence Studies and Analyses\x00\x1e" $ = "\x00IPT APPLICATION FORM\x00\x1e" $ = "\x00Jharkhand supports Indian Parliamentary resolution on Tibet crisis\x00\x1e" $ = "\x00Lieutenant General KENOSE BARRY PHILLIPE,\x00\x1e" $ = "\x00OPERATIONAL MANUAL:\x00\x1e" $ = "\x00PART 2 - Overview and Analysis\x00\x1e" $ = "\x00PowerPoint Presentation\x00\x1e" $ = "\x00Progress Chart: 15\x00\x1e" $ = "\x00Progress Chart:\x00\x1e" $ = "\x00Progress Chart\x00\x1e" $ = "\x00RC\x00\x1e" $ = "\x00(RESENDING)\x00\x1e" $ = "\x00Talking Points EU-China Human Rights Dialogue June 2011\x00\x1e" $ = "\x00TANC Community Center\x00\x1e" $ = "\x00The Charg\x00\x1e" $ = "\x00The following schedule of plans has been finalized for the purpose of holding the Second Special General Meeting of Tibetans being organized jointly by the Tibetan Parliament-in-Exile and the Kashag headed by the Kalon Tripa in accordance with the provis\x00\x1e" $ = "\x00The Tibet Museum Project\x00\x1e" $ = "\x00Tibetan Community in Switzerland & Liechtenstein, Binzstrasse 15, CH-8045 Zurich, Switzerland \x00\x1e" $ = "\x00TSERING BHUTI\x00\x1e" $ = "\x00Tsering Bhuti\x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00#\x00\x1e" $ = "\x00\x8d\x00\x1e" $ = "\x00\x8d\x9a\x06\xb7\x00\x1e" $ = "\x00\xc8\xf8!\xb7\x00\x1e" $ = "\x00Yes, I would like to raise this point: how many more young Tibetan lives are to be sacrificed in these awful self immolations before China is likely to change its Tibet policies in favour of Tibetan autonomy\x00\x1e" condition: IsOLE and (any of them) } rule OLELastSavedBy : LastSavedBy OLEMetadata { meta: description = "Identifier for known OLE document Last Saved By field" author = "Seth Hardy" last_modified = "2014-05-07" strings: $ = "\x00111\x00\x1e" $ = "\x0011\x00\x1e" $ = "\x00123\x00\x1e" $ = "\x00Administrator\x00\x1e" $ = "\x00Admin\x00\x1e" $ = "\x00Alex\x00\x1e" $ = "\x00Audit\x00\x1e" $ = "\x00A\x00\x1e" $ = "\x00beat\x00\x1e" $ = "\x00Ben\x00\x1e" $ = "\x00bf\x00\x1e" $ = "\x00Booksway\x00\x1e" $ = "\x00Bosh\x00\x1e" $ = "\x00captain\x00\x1e" $ = "\x00CL_nelson\x00\x1e" $ = "\x00Core\x00\x1e" $ = "\x00cyano\x00\x1e" $ = "\x00dainzin\x00\x1e" $ = "\x00Dolker\x00\x1e" $ = "\x00Findo\x00\x1e" $ = "\x00FLORINE DATESSEN\x00\x1e" $ = "\x00funghain\x00\x1e" $ = "\x00HP\x00\x1e" $ = "\x00hy9901a\x00\x1e" $ = "\x00IBM User\x00\x1e" $ = "\x00IBM\x00\x1e" $ = "\x00Igny\x00\x1e" $ = "\x00I. K\x00\x1e" $ = "\x00ITCO\x00\x1e" $ = "\x00jds\x00\x1e" $ = "\x00Joyce Havinga\x00\x1e" $ = "\x00karmayeshi\x00\x1e" $ = "\x00ken\x00\x1e" $ = "\x00khenrab\x00\x1e" $ = "\x00Kunga Tashi\x00\x1e" $ = "\x00lebrale\x00\x1e" $ = "\x00Lenovo User\x00\x1e" $ = "\x00Lenovo\x00\x1e" $ = "\x00lenovo\x00\x1e" $ = "\x00Lharisang\x00\x1e" $ = "\x00Lhundup Damcho\x00\x1e" $ = "\x00MC SYSTEM\x00\x1e" $ = "\x00mm\x00\x1e" $ = "\x00mpzhang\x00\x1e" $ = "\x00neuroking\x00\x1e" $ = "\x00niu2\x00\x1e" $ = "\x00Normal.d\x00\x1e" $ = "\x00Normal.w\x00\x1e" $ = "\x00Normal\x00\x1e" $ = "\x00one\x00\x1e" $ = "\x00Owner\x00\x1e" $ = "\x00pema tashi\x00\x1e" $ = "\x00pepe\x00\x1e" $ = "\x00PhiDiem\x00\x1e" $ = "\x00ResuR\x00\x1e" $ = "\x00roy\x00\x1e" $ = "\x00Samphel\x00\x1e" $ = "\x00system\x00\x1e" $ = "\x00TCC Dhasa1\x00\x1e" $ = "\x00tensangmo\x00\x1e" $ = "\x00Tenzin\x00\x1e" $ = "\x00test\x00\x1e" $ = "\x00Tibet Ever\x00\x1e" $ = "\x00Tran Duy Linh\x00\x1e" $ = "\x00Traudl\x00\x1e" $ = "\x00unknown\x00\x1e" $ = "\x00User\x00\x1e" $ = "\x00user\x00\x1e" $ = "\x00USR\x00\x1e" $ = "\x00walkinnet\x00\x1e" $ = "\x00WIN7\x00\x1e" $ = "\x00www\x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00 \x00\x1e" $ = "\x00y\x00\x1e" condition: IsOLE and (any of them) }