rule nccgroup_exploit_ole_stdolelink { meta: author = "David Cannings" description = "StdOleLink, potential 0day in April 2017" strings: // Parsers will open files without the full 'rtf' $header_rtf = "{\\rt" nocase $header_office = { D0 CF 11 E0 } $header_xml = "