rule APT1_known_malicious_RARSilent { meta: author = "AlienVault Labs" info = "CommentCrew-threat-apt1" strings: $str1 = "Analysis And Outlook.doc\"" wide ascii $str2 = "North Korean launch.pdf\"" wide ascii $str3 = "Dollar General.doc\"" wide ascii $str4 = "Dow Corning Corp.pdf\"" wide ascii condition: 1 of them and APT1_RARSilent_EXE_PDF }