pe3zx · October 13, 2019 07:39
diff --git a/malware_carriers_hunting.yar b/malware_carriers_hunting.yar
 // any Office document with macros.
 rule macro_hunter
 {
    strings:
        $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
        $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
        $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
    condition:
        new_file and (
            tags contains "macros" or (
                $ole_marker at 0 and 1 of ($macro_sheet_h*)
            )
        )
 }

 // any office document with any AV hits or with embedded ActiveX.
 rule maldoc_hunter
 {
    strings:
        $docx_magic = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
        $activex_1 = "word/activeX/activeX1.bin"
        $activex_2 = "word/activeX/activeX1.xml"
    condition:
        new_file and not (uint16be(0x0) == 0x4d5a)
        and
        (
            file_type contains "office" or
            tags contains "office" or
            $docx_magic at 0
        )
        and
        (
            positives > 0 or
            all of ($activex*)
        )
 }

 // any JAR files with any AV hits.
 rule maljar_hunter
 {
    condition:
        new_file and positives > 0 and
        (
            tags contains "jar" or
            tags contains "class" or
            file_type contains "jar" or
            file_type contains "class"
        )
 }

 // any RTF files with any AV hits.
 rule rtf_hunter
 {
    strings:
        $magic = "{\\rt"
    condition:
        new_file and positives > 0 and
        (
            file_type contains "rtf" or
            tags containts "rtf" or
            $magic at 0
        )
 }

 // any PDF file with JavaScript.
 rule pdfjs_hunter
 {
    strings:
        $pdf_header = "%PDF"
    condition:
        new_file and
        (
            file_type contains "pdf" or
            $pdf_header in (0..1024)
        )
        and tags contains "js-embedded"
 }

 // any office document with an embedded SWF.
 // note that we disqualify PE files here,
 // due to misclassification.
 rule swfdoc_hunter
 {
    strings:
        $a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
        $b = { 57 53 }
    condition:
         $a and $b and not (uint16be(0x0) == 0x4d5a )
 }
	// any Office document with macros.
	rule macro_hunter
	{
	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
	$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
	condition:
	new_file and (
	tags contains "macros" or (
	$ole_marker at 0 and 1 of ($macro_sheet_h*)
	)
	)
	}

	// any office document with any AV hits or with embedded ActiveX.
	rule maldoc_hunter
	{
	strings:
	$docx_magic = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
	$activex_1 = "word/activeX/activeX1.bin"
	$activex_2 = "word/activeX/activeX1.xml"
	condition:
	new_file and not (uint16be(0x0) == 0x4d5a)
	and
	(
	file_type contains "office" or
	tags contains "office" or
	$docx_magic at 0
	)
	and
	(
	positives > 0 or
	all of ($activex*)
	)
	}

	// any JAR files with any AV hits.
	rule maljar_hunter
	{
	condition:
	new_file and positives > 0 and
	(
	tags contains "jar" or
	tags contains "class" or
	file_type contains "jar" or
	file_type contains "class"
	)
	}

	// any RTF files with any AV hits.
	rule rtf_hunter
	{
	strings:
	$magic = "{\\rt"
	condition:
	new_file and positives > 0 and
	(
	file_type contains "rtf" or
	tags containts "rtf" or
	$magic at 0
	)
	}

	// any PDF file with JavaScript.
	rule pdfjs_hunter
	{
	strings:
	$pdf_header = "%PDF"
	condition:
	new_file and
	(
	file_type contains "pdf" or
	$pdf_header in (0..1024)
	)
	and tags contains "js-embedded"
	}

	// any office document with an embedded SWF.
	// note that we disqualify PE files here,
	// due to misclassification.
	rule swfdoc_hunter
	{
	strings:
	$a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
	$b = { 57 53 }
	condition:
	$a and $b and not (uint16be(0x0) == 0x4d5a )
	}