Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Generic Phishing PDF Yara rule
rule Generic_Phishing_PDF
{
meta:
description = "Identifies generic phishing PDFs."
author = "@bartblaze"
date = "2019-03"
tlp = "White"
reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
strings:
$pdf = {25504446} //%PDF
$s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
$s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
condition:
$pdf at 0 and all of ($s*)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.