Sneed-Reactivity/yara-mikesxrs/codewatchorg/malicious_pdf.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

456 lines
10 KiB
Text

rule malicious_author : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 5
strings:
$magic = { 25 50 44 46 }
$reg0 = /Creator.?\(yen vaw\)/
$reg1 = /Title.?\(who cis\)/
$reg2 = /Author.?\(ser pes\)/
condition:
$magic at 0 and all of ($reg*)
}
rule suspicious_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$ver = /%PDF-1.\d{1}/
condition:
$magic at 0 and not $ver
}
rule suspicious_creation : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$create0 = /CreationDate \(D:20101015142358\)/
$create1 = /CreationDate \(2008312053854\)/
condition:
$magic at 0 and $header and 1 of ($create*)
}
rule suspicious_title : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 4
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$title0 = "who cis"
$title1 = "P66N7FF"
$title2 = "Fohcirya"
condition:
$magic at 0 and $header and 1 of ($title*)
}
rule suspicious_author : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 4
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$author0 = "Ubzg1QUbzuzgUbRjvcUb14RjUb1"
$author1 = "ser pes"
$author2 = "Miekiemoes"
$author3 = "Nsarkolke"
condition:
$magic at 0 and $header and 1 of ($author*)
}
rule suspicious_producer : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$producer0 = /Producer \(Scribus PDF Library/
$producer1 = "Notepad"
condition:
$magic at 0 and $header and 1 of ($producer*)
}
rule suspicious_creator : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$header = /%PDF-1\.(3|4|6)/
$creator0 = "yen vaw"
$creator1 = "Scribus"
$creator2 = "Viraciregavi"
condition:
$magic at 0 and $header and 1 of ($creator*)
}
rule possible_exploit : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/JavaScript /
$attrib3 = /\/ASCIIHexDecode/
$attrib4 = /\/ASCII85Decode/
$action0 = /\/Action/
$action1 = "Array"
$shell = "A"
$cond0 = "unescape"
$cond1 = "String.fromCharCode"
$nop = "%u9090%u9090"
condition:
$magic at 0 and (2 of ($attrib*)) or ($action0 and #shell > 10 and 1 of ($cond*)) or ($action1 and $cond0 and $nop)
}
rule shellcode_blob_metadata : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "When there's a large Base64 blob inserted into metadata fields it often indicates shellcode to later be decoded"
weight = 4
strings:
$magic = { 25 50 44 46 }
$reg_keyword = /\/Keywords.?\(([a-zA-Z0-9]{200,})/ //~6k was observed in BHEHv2 PDF exploits holding the shellcode
$reg_author = /\/Author.?\(([a-zA-Z0-9]{200,})/
$reg_title = /\/Title.?\(([a-zA-Z0-9]{200,})/
$reg_producer = /\/Producer.?\(([a-zA-Z0-9]{200,})/
$reg_creator = /\/Creator.?\(([a-zA-Z0-9]{300,})/
$reg_create = /\/CreationDate.?\(([a-zA-Z0-9]{200,})/
condition:
$magic at 0 and 1 of ($reg*)
}
rule multiple_filtering : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.2"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib = /\/Filter.*?(\/ASCIIHexDecode\W+|\/LZWDecode\W+|\/ASCII85Decode\W+|\/FlateDecode\W+|\/RunLengthDecode){2}/
// left out: /CCITTFaxDecode, JBIG2Decode, DCTDecode, JPXDecode, Crypt
condition:
$magic at 0 and $attrib
}
rule suspicious_js : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/OpenAction /
$attrib1 = /\/JavaScript /
$js0 = "eval"
$js1 = "Array"
$js2 = "String.fromCharCode"
condition:
$magic at 0 and all of ($attrib*) and 2 of ($js*)
}
rule suspicious_launch_action : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$attrib0 = /\/Launch/
$attrib1 = /\/URL /
$attrib2 = /\/Action/
$attrib3 = /\/F /
condition:
$magic at 0 and 3 of ($attrib*)
}
rule suspicious_embed : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "https://feliam.wordpress.com/2010/01/13/generic-pdf-exploit-hider-embedpdf-py-and-goodbye-av-detection-012010/"
weight = 2
strings:
$magic = { 25 50 44 46 }
$meth0 = /\/Launch/
$meth1 = /\/GoTo(E|R)/ //means go to embedded or remote
$attrib0 = /\/URL /
$attrib1 = /\/Action/
$attrib2 = /\/Filespec/
condition:
$magic at 0 and 1 of ($meth*) and 2 of ($attrib*)
}
rule suspicious_obfuscation : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$reg = /\/\w#[a-zA-Z0-9]{2}#[a-zA-Z0-9]{2}/
condition:
$magic at 0 and #reg > 5
}
rule invalid_XObject_js : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "XObject's require v1.4+"
ref = "https://blogs.adobe.com/ReferenceXObjects/"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$ver = /%PDF-1\.[4-9]/
$attrib0 = /\/XObject/
$attrib1 = /\/JavaScript/
condition:
$magic at 0 and not $ver and all of ($attrib*)
}
rule invalid_trailer_structure : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
// Required for a valid PDF
$reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
$reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
condition:
$magic at 0 and not $reg0 and not $reg1
}
rule multiple_versions : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "Written very generically and doesn't hold any weight - just something that might be useful to know about to help show incremental updates to the file being analyzed"
weight = 0
strings:
$magic = { 25 50 44 46 }
$s0 = "trailer"
$s1 = "%%EOF"
condition:
$magic at 0 and #s0 > 1 and #s1 > 1
}
rule js_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "JavaScript was introduced in v1.3"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 2
strings:
$magic = { 25 50 44 46 }
$js = /\/JavaScript/
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $js and not $ver
}
rule JBIG2_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "JBIG2 was introduced in v1.4"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$js = /\/JBIG2Decode/
$ver = /%PDF-1\.[4-9]/
condition:
$magic at 0 and $js and not $ver
}
rule FlateDecode_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "Flate was introduced in v1.2"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$js = /\/FlateDecode/
$ver = /%PDF-1\.[2-9]/
condition:
$magic at 0 and $js and not $ver
}
rule embed_wrong_version : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "EmbeddedFiles were introduced in v1.3"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 1
strings:
$magic = { 25 50 44 46 }
$embed = /\/EmbeddedFiles/
$ver = /%PDF-1\.[3-9]/
condition:
$magic at 0 and $embed and not $ver
}
rule invalid_xref_numbers : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "The first entry in a cross-reference table is always free and has a generation number of 65,535"
notes = "This can be also be in a stream..."
weight = 1
strings:
$magic = { 25 50 44 46 }
$reg0 = /xref\r?\n?.*\r?\n?.*65535\sf/
$reg1 = /endstream.*?\r?\n?endobj.*?\r?\n?startxref/
condition:
$magic at 0 and not $reg0 and not $reg1
}
rule js_splitting : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
description = "These are commonly used to split up JS code"
weight = 2
strings:
$magic = { 25 50 44 46 }
$js = /\/JavaScript/
$s0 = "getAnnots"
$s1 = "getPageNumWords"
$s2 = "getPageNthWord"
$s3 = "this.info"
condition:
$magic at 0 and $js and 1 of ($s*)
}
rule BlackHole_v2 : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "http://fortknoxnetworks.blogspot.no/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html"
weight = 3
strings:
$magic = { 25 50 44 46 }
$content = "Index[5 1 7 1 9 4 23 4 50"
condition:
$magic at 0 and $content
}
rule XDP_embedded_PDF : PDF
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
weight = 1
strings:
$s1 = "<pdf xmlns="
$s2 = "<chunk>"
$s3 = "</pdf>"
$header0 = "%PDF"
$header1 = "JVBERi0"
condition:
all of ($s*) and 1 of ($header*)
}