pe3zx/malware_carriers_hunting.yar

## malware_carriers_hunting.yar
// any Office document with macros.
rule macro_hunter
{
    strings:
        $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
        $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
        $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
    condition:
        new_file and (
            tags contains "macros" or (
                $ole_marker at 0 and 1 of ($macro_sheet_h*)
            )
        )
}

// any office document with any AV hits or with embedded ActiveX.
rule maldoc_hunter
{
    strings:
        $docx_magic = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
        $activex_1 = "word/activeX/activeX1.bin"
        $activex_2 = "word/activeX/activeX1.xml"
    condition:
        new_file and not (uint16be(0x0) == 0x4d5a)
        and
        (
            file_type contains "office" or
            tags contains "office" or
            $docx_magic at 0
        )
        and
        (
            positives > 0 or
            all of ($activex*)
        )
}

// any JAR files with any AV hits.
rule maljar_hunter
{
    condition:
        new_file and positives > 0 and
        (
            tags contains "jar" or
            tags contains "class" or
            file_type contains "jar" or
            file_type contains "class"
        )
}

// any RTF files with any AV hits.
rule rtf_hunter
{
    strings:
        $magic = "{\\rt"
    condition:
        new_file and positives > 0 and
        (
            file_type contains "rtf" or
            tags containts "rtf" or
            $magic at 0
        )
}

// any PDF file with JavaScript.
rule pdfjs_hunter
{
    strings:
        $pdf_header = "%PDF"
    condition:
        new_file and
        (
            file_type contains "pdf" or
            $pdf_header in (0..1024)
        )
        and tags contains "js-embedded"
}

// any office document with an embedded SWF.
// note that we disqualify PE files here,
// due to misclassification.
rule swfdoc_hunter
{
    strings:
        $a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
        $b = { 57 53 }
    condition:
         $a and $b and not (uint16be(0x0) == 0x4d5a )
}
	// any Office document with macros.
	rule macro_hunter
	{
	strings:
	$ole_marker = {D0 CF 11 E0 A1 B1 1A E1}
	$macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}
	$macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}
	condition:
	new_file and (
	tags contains "macros" or (
	$ole_marker at 0 and 1 of ($macro_sheet_h*)
	)
	)
	}

	// any office document with any AV hits or with embedded ActiveX.
	rule maldoc_hunter
	{
	strings:
	$docx_magic = /^\x50\x4B\x03\x04\x14\x00\x06\x00/
	$activex_1 = "word/activeX/activeX1.bin"
	$activex_2 = "word/activeX/activeX1.xml"
	condition:
	new_file and not (uint16be(0x0) == 0x4d5a)
	and
	(
	file_type contains "office" or
	tags contains "office" or
	$docx_magic at 0
	)
	and
	(
	positives > 0 or
	all of ($activex*)
	)
	}

	// any JAR files with any AV hits.
	rule maljar_hunter
	{
	condition:
	new_file and positives > 0 and
	(
	tags contains "jar" or
	tags contains "class" or
	file_type contains "jar" or
	file_type contains "class"
	)
	}

	// any RTF files with any AV hits.
	rule rtf_hunter
	{
	strings:
	$magic = "{\\rt"
	condition:
	new_file and positives > 0 and
	(
	file_type contains "rtf" or
	tags containts "rtf" or
	$magic at 0
	)
	}

	// any PDF file with JavaScript.
	rule pdfjs_hunter
	{
	strings:
	$pdf_header = "%PDF"
	condition:
	new_file and
	(
	file_type contains "pdf" or
	$pdf_header in (0..1024)
	)
	and tags contains "js-embedded"
	}

	// any office document with an embedded SWF.
	// note that we disqualify PE files here,
	// due to misclassification.
	rule swfdoc_hunter
	{
	strings:
	$a = { 6e db 7c d2 6d ae cf 11 96 b8 44 45 53 54 00 00 }
	$b = { 57 53 }
	condition:
	$a and $b and not (uint16be(0x0) == 0x4d5a )
	}