08e8d462fe
RED PILL 🔴 💊
27 lines
1.1 KiB
Text
27 lines
1.1 KiB
Text
|
|
rule MAL_RTF_Embedded_OLE_PE {
|
|
meta:
|
|
description = "Detects a suspicious string often used in PE files in a hex encoded object stream"
|
|
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
reference = "https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/"
|
|
date = "2018-01-22"
|
|
modified = "2023-11-25"
|
|
score = 65
|
|
id = "20044f08-9574-5baf-b91e-47613e490d62"
|
|
strings:
|
|
/* Hex encoded strings */
|
|
/* This program cannot be run in DOS mode */
|
|
$a1 = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465" ascii
|
|
/* KERNEL32.dll */
|
|
$a2 = "4b45524e454c33322e646c6c" ascii
|
|
/* C:\fakepath\ */
|
|
$a3 = "433a5c66616b65706174685c" ascii
|
|
/* DOS Magic Header */
|
|
$m3 = "4d5a40000100000006000000ffff"
|
|
$m2 = "4d5a50000200000004000f00ffff"
|
|
$m1 = "4d5a90000300000004000000ffff"
|
|
condition:
|
|
uint32be(0) == 0x7B5C7274 /* RTF */
|
|
and 1 of them
|
|
}
|