08e8d462fe
RED PILL 🔴 💊
456 lines
10 KiB
Text
456 lines
10 KiB
Text
rule malicious_author : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 5
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$reg0 = /Creator.?\(yen vaw\)/
|
|
$reg1 = /Title.?\(who cis\)/
|
|
$reg2 = /Author.?\(ser pes\)/
|
|
condition:
|
|
$magic at 0 and all of ($reg*)
|
|
}
|
|
|
|
rule suspicious_version : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$ver = /%PDF-1.\d{1}/
|
|
condition:
|
|
$magic at 0 and not $ver
|
|
}
|
|
|
|
rule suspicious_creation : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$header = /%PDF-1\.(3|4|6)/
|
|
|
|
$create0 = /CreationDate \(D:20101015142358\)/
|
|
$create1 = /CreationDate \(2008312053854\)/
|
|
condition:
|
|
$magic at 0 and $header and 1 of ($create*)
|
|
}
|
|
|
|
rule suspicious_title : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 4
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$header = /%PDF-1\.(3|4|6)/
|
|
|
|
$title0 = "who cis"
|
|
$title1 = "P66N7FF"
|
|
$title2 = "Fohcirya"
|
|
condition:
|
|
$magic at 0 and $header and 1 of ($title*)
|
|
}
|
|
|
|
rule suspicious_author : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 4
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$header = /%PDF-1\.(3|4|6)/
|
|
|
|
$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
|
|
$author1 = "ser pes"
|
|
$author2 = "Miekiemoes"
|
|
$author3 = "Nsarkolke"
|
|
condition:
|
|
$magic at 0 and $header and 1 of ($author*)
|
|
}
|
|
|
|
rule suspicious_producer : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$header = /%PDF-1\.(3|4|6)/
|
|
|
|
$producer0 = /Producer \(Scribus PDF Library/
|
|
$producer1 = "Notepad"
|
|
condition:
|
|
$magic at 0 and $header and 1 of ($producer*)
|
|
}
|
|
|
|
rule suspicious_creator : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$header = /%PDF-1\.(3|4|6)/
|
|
|
|
$creator0 = "yen vaw"
|
|
$creator1 = "Scribus"
|
|
$creator2 = "Viraciregavi"
|
|
condition:
|
|
$magic at 0 and $header and 1 of ($creator*)
|
|
}
|
|
|
|
rule possible_exploit : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$attrib0 = /\/JavaScript /
|
|
$attrib3 = /\/ASCIIHexDecode/
|
|
$attrib4 = /\/ASCII85Decode/
|
|
|
|
$action0 = /\/Action/
|
|
$action1 = "Array"
|
|
$shell = "A"
|
|
$cond0 = "unescape"
|
|
$cond1 = "String.fromCharCode"
|
|
|
|
$nop = "%u9090%u9090"
|
|
condition:
|
|
$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
|
|
}
|
|
|
|
rule shellcode_blob_metadata : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
|
|
weight = 4
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
|
|
$reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
|
|
$reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
|
|
$reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
|
|
$reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
|
|
$reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
|
|
|
|
condition:
|
|
$magic at 0 and 1 of ($reg*)
|
|
}
|
|
|
|
rule multiple_filtering : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.2"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/
|
|
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
|
|
|
|
condition:
|
|
$magic at 0 and $attrib
|
|
}
|
|
|
|
rule suspicious_js : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$attrib0 = /\/OpenAction /
|
|
$attrib1 = /\/JavaScript /
|
|
|
|
$js0 = "eval"
|
|
$js1 = "Array"
|
|
$js2 = "String.fromCharCode"
|
|
|
|
condition:
|
|
$magic at 0 and all of ($attrib*) and 2 of ($js*)
|
|
}
|
|
|
|
rule suspicious_launch_action : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$attrib0 = /\/Launch/
|
|
$attrib1 = /\/URL /
|
|
$attrib2 = /\/Action/
|
|
$attrib3 = /\/F /
|
|
|
|
condition:
|
|
$magic at 0 and 3 of ($attrib*)
|
|
}
|
|
|
|
rule suspicious_embed : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
|
|
$meth0 = /\/Launch/
|
|
$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
|
|
$attrib0 = /\/URL /
|
|
$attrib1 = /\/Action/
|
|
$attrib2 = /\/Filespec/
|
|
|
|
condition:
|
|
$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
|
|
}
|
|
|
|
rule suspicious_obfuscation : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
|
|
|
|
condition:
|
|
$magic at 0 and #reg > 5
|
|
}
|
|
|
|
rule invalid_XObject_js : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
description = "XObject's require v1.4+"
|
|
ref = "https://blogs.adobe.com/ReferenceXObjects/"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$ver = /%PDF-1\.[4-9]/
|
|
|
|
$attrib0 = /\/XObject/
|
|
$attrib1 = /\/JavaScript/
|
|
|
|
condition:
|
|
$magic at 0 and not $ver and all of ($attrib*)
|
|
}
|
|
|
|
rule invalid_trailer_structure : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
weight = 1
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
// Required for a valid PDF
|
|
$reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
|
|
$reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
|
|
|
|
condition:
|
|
$magic at 0 and not $reg0 and not $reg1
|
|
}
|
|
|
|
rule multiple_versions : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"
|
|
weight = 0
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$s0 = "trailer"
|
|
$s1 = "%%EOF"
|
|
|
|
condition:
|
|
$magic at 0 and #s0 > 1 and #s1 > 1
|
|
}
|
|
|
|
rule js_wrong_version : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
description = "JavaScript was introduced in v1.3"
|
|
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
|
|
version = "0.1"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$js = /\/JavaScript/
|
|
$ver = /%PDF-1\.[3-9]/
|
|
|
|
condition:
|
|
$magic at 0 and $js and not $ver
|
|
}
|
|
|
|
rule JBIG2_wrong_version : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
description = "JBIG2 was introduced in v1.4"
|
|
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
|
|
version = "0.1"
|
|
weight = 1
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$js = /\/JBIG2Decode/
|
|
$ver = /%PDF-1\.[4-9]/
|
|
|
|
condition:
|
|
$magic at 0 and $js and not $ver
|
|
}
|
|
|
|
rule FlateDecode_wrong_version : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
description = "Flate was introduced in v1.2"
|
|
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
|
|
version = "0.1"
|
|
weight = 1
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$js = /\/FlateDecode/
|
|
$ver = /%PDF-1\.[2-9]/
|
|
|
|
condition:
|
|
$magic at 0 and $js and not $ver
|
|
}
|
|
|
|
rule embed_wrong_version : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
description = "EmbeddedFiles were introduced in v1.3"
|
|
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
|
|
version = "0.1"
|
|
weight = 1
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$embed = /\/EmbeddedFiles/
|
|
$ver = /%PDF-1\.[3-9]/
|
|
|
|
condition:
|
|
$magic at 0 and $embed and not $ver
|
|
}
|
|
|
|
rule invalid_xref_numbers : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
|
|
notes = "This can be also be in a stream..."
|
|
weight = 1
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
|
|
$reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/
|
|
condition:
|
|
$magic at 0 and not $reg0 and not $reg1
|
|
}
|
|
|
|
rule js_splitting : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
description = "These are commonly used to split up JS code"
|
|
weight = 2
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$js = /\/JavaScript/
|
|
$s0 = "getAnnots"
|
|
$s1 = "getPageNumWords"
|
|
$s2 = "getPageNthWord"
|
|
$s3 = "this.info"
|
|
|
|
condition:
|
|
$magic at 0 and $js and 1 of ($s*)
|
|
}
|
|
|
|
rule BlackHole_v2 : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
|
|
weight = 3
|
|
|
|
strings:
|
|
$magic = { 25 50 44 46 }
|
|
$content = "Index[5 1 7 1 9 4 23 4 50"
|
|
|
|
condition:
|
|
$magic at 0 and $content
|
|
}
|
|
|
|
|
|
rule XDP_embedded_PDF : PDF
|
|
{
|
|
meta:
|
|
author = "Glenn Edwards (@hiddenillusion)"
|
|
version = "0.1"
|
|
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
|
|
weight = 1
|
|
|
|
strings:
|
|
$s1 = "<pdf xmlns="
|
|
$s2 = "<chunk>"
|
|
$s3 = "</pdf>"
|
|
$header0 = "%PDF"
|
|
$header1 = "JVBERi0"
|
|
|
|
condition:
|
|
all of ($s*) and 1 of ($header*)
|
|
}
|