Sneed-Reactivity/yara-mikesxrs/proofpoint/AdGholas_mem_antisec_M2.yar

rule AdGholas_mem_antisec_M2
{
 meta:
     malfamily = "AdGholas"
	 author = "Proofpoint"
	 reference = "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight"
	 reference2 = "https://blog.malwarebytes.com/cybercrime/exploits/2016/12/adgholas-malvertising-business-as-usual/"


 strings:
     $s1 = "ActiveXObject(\"Microsoft.XMLDOM\")" nocase ascii wide
     $s2 = "loadXML" nocase ascii wide fullword
     $s3 = "parseError.errorCode" nocase ascii wide
     $s4 = /res\x3a\x2f\x2f[\x27\x22]\x2b/ nocase ascii wide
     $s5 = /\x251e3\x21\s*\x3d\x3d\s*[a-zA-Z]+\x3f1\x3a0/ nocase ascii wide

 condition:
     all of ($s*)
}