rule blackhole2_pdf { meta: author = "Josh Berry" date = "2016-06-27" description = "BlackHole2 Exploit Kit Detection" hash0 = "d1e2ff36a6c882b289d3b736d915a6cc" sample_filetype = "pdf" yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" strings: $string0 = "/StructTreeRoot 5 0 R/Type/Catalog>>" $string1 = "0000036095 00000 n" $string2 = "http://www.xfa.org/schema/xfa-locale-set/2.1/" $string3 = "subform[0].ImageField1[0])/Subtype/Widget/TU(Image Field)/Parent 22 0 R/F 4/P 8 0 R/T