clr2of8/rtf_with_multiple_embedded_docs

## rtf_with_multiple_embedded_docs
rule rtf_with_multiple_embedded_docs
{
     meta:
          description = "RTF file with multiple embedded macro-enabled documents"
          weight  = 90
          author = "Walmart Information Security"
          date = "2019-03-14"

     strings:
          // Headers of files to look for
          $header_rtf = "{\\rt" nocase
          $docheader_1 = "d0cf11e" nocase
          $rtf_objupdate = "objupdate" nocase
          $macro = "56424150726f6a656374" nocase

     condition:
          ($header_rtf at 0) and #rtf_objupdate > 1 and #docheader_1 > 1 and #macro > 3
}
	rule rtf_with_multiple_embedded_docs
	{
	meta:
	description = "RTF file with multiple embedded macro-enabled documents"
	weight = 90
	author = "Walmart Information Security"
	date = "2019-03-14"

	strings:
	// Headers of files to look for
	$header_rtf = "{\\rt" nocase
	$docheader_1 = "d0cf11e" nocase
	$rtf_objupdate = "objupdate" nocase
	$macro = "56424150726f6a656374" nocase

	condition:
	($header_rtf at 0) and #rtf_objupdate > 1 and #docheader_1 > 1 and #macro > 3
	}