Skip to content

Instantly share code, notes, and snippets.

@bartblaze

bartblaze/Generic_Phishing_PDF.yar

Created May 24, 2019 17:27
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bartblaze/6814bdcf503f8b1a9c06a178423c9b74 to your computer and use it in GitHub Desktop.
Save bartblaze/6814bdcf503f8b1a9c06a178423c9b74 to your computer and use it in GitHub Desktop.
Download ZIP
Generic Phishing PDF Yara rule
Raw
Generic_Phishing_PDF.yar
rule Generic_Phishing_PDF
{
meta:
description = "Identifies generic phishing PDFs."
author = "@bartblaze"
date = "2019-03"
tlp = "White"
reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
strings:
$pdf = {25504446} //%PDF
$s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
$s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
condition:
$pdf at 0 and all of ($s*)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment