/* Version 0.0.1 2014/12/15 Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk Shortcomings, or todo's ;-) : History: 2014/12/15: start */ rule maldoc_API_hashing { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF} $a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF} condition: any of them } rule maldoc_function_prolog_signature { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a1 = {55 8B EC 81 EC} $a2 = {55 8B EC 83 C4} $a3 = {55 8B EC E8} $a4 = {55 8B EC E9} $a5 = {55 8B EC EB} condition: any of them } rule maldoc_structured_exception_handling { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00} $a2 = {64 A1 00 00 00 00} condition: any of them } /* rule maldoc_indirect_function_call_1 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {FF 75 ?? FF 55 ??} condition: for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5)) } */ /* rule maldoc_indirect_function_call_2 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??} condition: for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11))) } */ /* rule maldoc_indirect_function_call_3 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {FF B7 ?? ?? ?? ?? FF 57 ??} condition: $a } */ rule maldoc_find_kernel32_base_method_1 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00} $a2 = {64 A1 30 00 00 00} condition: any of them } /* rule maldoc_find_kernel32_base_method_2 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {31 ?? ?? 30 64 8B ??} condition: for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07))) } */ /* rule maldoc_find_kernel32_base_method_3 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??} condition: for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07))) } */ /* rule maldoc_getEIP_method_1 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)} condition: $a } */ rule maldoc_getEIP_method_4 { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)} $a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)} condition: any of them } rule maldoc_OLE_file_magic_number { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a = {D0 CF 11 E0} condition: $a } rule maldoc_suspicious_strings { meta: author = "Didier Stevens (https://DidierStevens.com)" strings: $a01 = "CloseHandle" $a02 = "CreateFile" $a03 = "GetProcAddr" $a04 = "GetSystemDirectory" $a05 = "GetTempPath" $a06 = "GetWindowsDirectory" $a07 = "IsBadReadPtr" $a08 = "IsBadWritePtr" $a09 = "LoadLibrary" $a10 = "ReadFile" $a11 = "SetFilePointer" $a12 = "ShellExecute" $a13 = "UrlDownloadToFile" $a14 = "VirtualAlloc" $a15 = "WinExec" $a16 = "WriteFile" condition: any of them }