// Copyright (C) 2013 Claudio "nex" Guarnieri rule embedded_macho { meta: author = "nex" description = "Contains an embedded Mach-O file" strings: $magic1 = { ca fe ba be } $magic2 = { ce fa ed fe } $magic3 = { fe ed fa ce } condition: any of ($magic*) and not ($magic1 at 0) and not ($magic2 at 0) and not ($magic3 at 0) }