08e8d462fe
RED PILL 🔴 💊
145 lines
4.7 KiB
Text
145 lines
4.7 KiB
Text
rule maldoc_indirect_function_call_1 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a = {FF 75 ?? FF 55 ??}
|
|
condition:
|
|
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
|
|
}
|
|
|
|
rule maldoc_indirect_function_call_2 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
|
|
condition:
|
|
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
|
|
}
|
|
|
|
rule maldoc_indirect_function_call_3 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
|
|
condition:
|
|
$a
|
|
}
|
|
|
|
rule maldoc_find_kernel32_base_method_1 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
|
|
$a2 = {64 A1 30 00 00 00}
|
|
condition:
|
|
any of them
|
|
}
|
|
|
|
rule maldoc_find_kernel32_base_method_2 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a = {31 ?? ?? 30 64 8B ??}
|
|
condition:
|
|
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
|
|
}
|
|
|
|
rule maldoc_find_kernel32_base_method_3 : maldoc
|
|
{
|
|
meta:
|
|
author = "Didier Stevens (https://DidierStevens.com)"
|
|
strings:
|
|
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
|
|
condition:
|
|
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
|
|
}
|
|
|
|
rule mwi_document: exploitdoc maldoc
|
|
{
|
|
meta:
|
|
description = "MWI generated document"
|
|
author = "@Ydklijnsma"
|
|
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
|
|
|
|
strings:
|
|
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
|
|
$mwistat_url = ".php?id="
|
|
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
|
|
|
|
condition:
|
|
all of them
|
|
}
|
|
|
|
rule macrocheck : maldoc
|
|
{
|
|
meta:
|
|
Author = "Fireeye Labs"
|
|
Date = "2014/11/30"
|
|
Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
|
|
Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
|
|
|
|
strings:
|
|
$PARAMpword = "pword=" ascii wide
|
|
$PARAMmsg = "msg=" ascii wide
|
|
$PARAMuname = "uname=" ascii
|
|
$userform = "UserForm" ascii wide
|
|
$userloginform = "UserLoginForm" ascii wide
|
|
$invalid = "Invalid username or password" ascii wide
|
|
$up1 = "uploadPOST" ascii wide
|
|
$up2 = "postUpload" ascii wide
|
|
|
|
condition:
|
|
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
|
|
}
|
|
|
|
rule Office_AutoOpen_Macro : maldoc {
|
|
meta:
|
|
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
|
|
author = "Florian Roth"
|
|
date = "2015-05-28"
|
|
score = 60
|
|
hash1 = "4d00695d5011427efc33c9722c61ced2"
|
|
hash2 = "63f6b20cb39630b13c14823874bd3743"
|
|
hash3 = "66e67c2d84af85a569a04042141164e6"
|
|
hash4 = "a3035716fe9173703941876c2bde9d98"
|
|
hash5 = "7c06cab49b9332962625b16f15708345"
|
|
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
|
|
hash7 = "25285b8fe2c41bd54079c92c1b761381"
|
|
strings:
|
|
$s1 = "AutoOpen" ascii fullword
|
|
$s2 = "Macros" wide fullword
|
|
condition:
|
|
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
|
|
}
|
|
|
|
rule Embedded_EXE_Cloaking : maldoc {
|
|
meta:
|
|
description = "Detects an embedded executable in a non-executable file"
|
|
author = "Florian Roth"
|
|
date = "2015/02/27"
|
|
score = 80
|
|
strings:
|
|
$noex_png = { 89 50 4E 47 }
|
|
$noex_pdf = { 25 50 44 46 }
|
|
$noex_rtf = { 7B 5C 72 74 66 31 }
|
|
$noex_jpg = { FF D8 FF E0 }
|
|
$noex_gif = { 47 49 46 38 }
|
|
$mz = { 4D 5A }
|
|
$a1 = "This program cannot be run in DOS mode"
|
|
$a2 = "This program must be run under Win32"
|
|
condition:
|
|
(
|
|
( $noex_png at 0 ) or
|
|
( $noex_pdf at 0 ) or
|
|
( $noex_rtf at 0 ) or
|
|
( $noex_jpg at 0 ) or
|
|
( $noex_gif at 0 )
|
|
)
|
|
and
|
|
for any i in (1..#mz): ( @a1 < ( @mz[i] + 200 ) or @a2 < ( @mz[i] + 200 ) )
|
|
}
|