predictiple/magic.yar

## magic.yar
rule pe_32 {
condition:
  uint16(0) == 0x5A4D and
        uint32(uint32(0x3C)) == 0x00004550
}

rule pe_dos {
condition:
  uint16(0) == 0x5A4D
}

rule winevtx {
strings:
  $a = "ElfFile\x00"
  $b = { 45 6c 66 46 69 6c 65 }
condition:
  $a at 0 or $b at 0
}

rule winevt {
strings:
  $a = "\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00"
condition:
  $a at 0
}

rule esedb {
strings:
  $a = "\xef\xcd\xab\x89"
condition:
  $a at 4
}

rule ntfs_mft {
strings:
  $a = "FILE"
condition:
  $a at 0
}

rule ntfs_boot {
strings:
  $a = { eb 52 90 4e 54 46 53 }
condition:
  $a at 0
}

rule ntfs_logfile {
strings:
  $a = { 52 53 54 52 }
condition:
  $a at 0
}

rule ewf_e01 {
strings:
  $a = "EVF\x09\x0d\x0a\xff\x00"
  $b = { 45 56 46 09}
condition:
  $a at 0 or $b at 0
}

rule ewf_l01 {
strings:
  $a = "LVF\x09\x0d\x0a\xff\x00"
condition:
  $a at 0
}

rule ewf_v2 {
strings:
  $a = { 45 56 46 32 }
condition:
  $a at 0
}

rule ewf_v1 {
strings:
  $a = { 45 56 46 }
condition:
  $a at 0
}

rule msiecf {
strings:
  $a = "Client\x20UrlCache\x20MMF\x20Ver\x20"
condition:
  $a at 0
}

rule qcow {
strings:
  $a = "QFI\xfb"
condition:
  $a at 0
}

rule winreg {
strings:
  $a = "regf"
condition:
  $a at 0
}

rule sqlite2 {
strings:
  $a = "**\x20This\x20file\x20contains\x20an\x20SQLite\x202"
condition:
  $a at 0
}

rule sqlite3 {
strings:
  $a = "SQLite\x20format\x203\x00"
condition:
  $a at 0
}

rule sqlite {
strings:
  $a = { 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 }
condition:
  $a at 0
}

rule vhdx {
strings:
  $a = { 76 68 64 78 66 69 6C 65 }
condition:
  $a at 0
}

rule vhdi_header {
strings:
  $a = "conectix"
condition:
  $a at 0
}

rule vhd {
strings:
  $a = { 63 6F 6E 6E 65 63 74 69 78 }
condition:
  $a at 0
}

rule vdi {
strings:
  $a = { 3C 3C 3C 20 4F 72 61 63 6C 65 20 56 4D 20 56 69 72 74 75 61 6C 42 6F 78 20 44 69 73 6B 20 49 6D 61 67 65 20 3E 3E 3E }
condition:
  $a at 0
}

rule winprefetch {
strings:
  $a = "SCCA"
condition:
  $a at 4
}

rule winprefetch_alt {
strings:
  $a = "MAM\x04"
condition:
  $a at 0
}

rule wtcdb_cache {
strings:
  $a = "CMMM"
  $b = { 43 4d 4d 4d }
condition:
  $a at 0 or $b at 0
}

rule wtcdb_index {
strings:
  $a = "IMMM"
condition:
  $a in (0..100)
}

rule xml {
strings:
  $a = { 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E }
  $b = { 3c 3f 78 6d 6c 20 }
condition:
  $a at 0 or $b at 0
}

rule chrome_crx {
strings:
  $a = { 43 72 32 34 }
condition:
  $a at 0
}

rule ms_doc {
strings:
  $a = { EC A5 C1 00 }
condition:
  $a at 512
}

rule ms_xls {
strings:
  $a = { 09 08 10 00 00 06 05 00 }
condition:
  $a at 512
}

rule custom_destinations {
strings:
  $a = { 02 00 00 00 01 00 00 00 00 00 00 00 02 00 }
condition:
  $a at 0
}

rule automatic_destinations {
strings:
  $a = { d0 cf 11 e0 a1 b1 1a e1 00 00 }
condition:
  $a at 0
}

rule plist {
strings:
  $a = "bplist"
condition:
  $a at 0
}

rule safari_cookies {
strings:
  $a = "cook\x00"
condition:
  $a at 0
}

rule asl_log {
strings:
  $a = "ASL DB\x00\x00\x00\x00\x00\x00"
condition:
  $a at 0
}

rule utmpx {
strings:
  $a = "utmpx-1.00\x00"
condition:
  $a at 0
}

rule systemd_journal {
strings:
  $a = "LPKSHHRH"
condition:
  $a at 0
}

rule mac_keychain {
strings:
  $a = "kych"
condition:
  $a at 0
}

rule fseventsd {
strings:
  $a = "cls._DLS_V?_SIGNATURE"
condition:
  $a at 0
}

rule spotlight_storedb {
strings:
  $a = "8tsd"
condition:
  $a at 0
}

rule rtf {
strings:
  $a = { 7B 5C 72 74 66 31 }
condition:
  $a at 0
}

rule olecf {
strings:
  $a = {d0 cf 11 e0 a1 b1 1a e1}
condition:
  $a at 0
}

rule olecf_beta {
strings:
  $a = { 0e 11 fc 0d d0 cf 11 0e }
condition:
  $a at 0
}

rule bmp {
strings:
  $a = { 42 4D }
condition:
  $a at 0
}

rule java_class {
strings:
  $a = { CA FE BA BE }
condition:
  $a at 0
}

rule java_jar {
strings:
  $a = { 50 4B 03 04 14 00 08 00 08 00 }
  $b = { 5F 27 A8 89 }
condition:
  $a at 0 or $b at 0
}

rule jpeg {
strings:
  $a = { FF D8 FF }
condition:
  $a at 0
}

rule jpeg_2000 {
strings:
  $a = { 00 00 00 0C 6A 50 20 20 0D 0A }
condition:
  $a at 0
}

rule gif {
strings:
  $a = { 47 49 46 38 }
condition:
  $a at 0
}

rule tiff {
strings:
  $a = { 49 20 49 }
  $b = { 49 49 2A 00 }
condition:
  $a at 0 or $b at 0
}

rule png {
strings:
  $a = { 89 50 4E 47 0D 0A 1A 0A }
condition:
  $a at 0
}

rule webp {
strings:
  $a = { 52 49 46 46 ?? ?? ?? ?? 57 45 42 50 }
condition:
  $a at 0
}

rule psd {
strings:
  $a = { 38 42 50 53 }
condition:
  $a at 0
}

rule wmf {
strings:
  $a = { D7 CD C6 9A }
  $b = { 01 00 09 00 00 03 }
condition:
  $a at 0 or $b at 0
}

rule midi {
strings:
  $a = { 4D 54 68 64 }
condition:
  $a at 0
}

rule ico {
strings:
  $a = { 00 00 01 00 }
condition:
  $a at 0
}

rule cursor {
strings:
  $a = { 00 00 02 00 }
condition:
  $a at 0
}

rule mp3 {
strings:
  $a = { FF FB }
  $b = { FF F3 }
  $c = { FF F2 }
  $d = { 49 44 33 }
condition:
  $a at 0 or $b at 0 or $c at 0 or $d at 0
}

rule swf {
strings:
  $a = { 46 57 53 }
condition:
  $a at 0
}

rule flv {
strings:
  $a = { 46 4C 56 01 }
condition:
  $a at 0
}

rule adobe_sol {
strings:
  $a = { 00 BF }
condition:
  $a at 0
}

rule mp4 {
strings:
  $a = { 00 00 00 18 66 74 79 70 6D 70 34 32 }
  $b = { 00 00 00 20 66 74 79 70 69 73 6F 6D }
condition:
  $a at 0 or $b at 4
}

rule m4a {
strings:
  $a = { 00 00 00 1C 66 74 79 70 4D 53 4E 56 01 29 00 46 4D 53 4E 56 6D 70 34 32 }
condition:
  $a at 0
}

rule mov {
strings:
  $a = { 6D 6F 6F 76 }
condition:
  $a at 0
}

rule qt_mov {
strings:
  $a = { 66 74 79 70 71 74 20 20 }
condition:
  $a at 4
}

rule mp4_qt {
strings:
  $a = { 66 74 79 70 6D 70 34 32 }
condition:
  $a at 4
}

rule wmv {
strings:
  $a = { 30 26 B2 75 8E 66 CF }
condition:
  $a at 0
}

rule gzip {
strings:
  $a = { 1F 8B 08 }
condition:
  $a at 0
}

rule bzip2 {
strings:
  $a = { 42 5A 68 }
condition:
  $a at 0
}

rule bzip2_alt {
strings:
  $a = "\x31\x41\x59\x26\x53\x59"
condition:
  $a at 4
}

rule tar {
strings:
  $a = { 75 73 74 61 72 }
condition:
  $a at 0
}

rule tar_alt1 {
strings:
  $a = { 75 73 74 61 72 }
condition:
  $a at 257
}

rule tar_alt2 {
strings:
  $a = "ustar\x00"
condition:
  $a at 257
}

rule tar_alt3 {
strings:
  $a = "257	ustar\x20\x20\x00"
condition:
  $a at 257
}

rule tar_zv {
strings:
  $a = { 1F 9D }
  $b = { 1F A0 }
condition:
  $a at 0 or $b at 0
}

rule tar_zh {
strings:
  $a = { 2D 6C 68 }
condition:
  $a at 2
}

rule seven_z {
strings:
  $a = { 37 7A BC AF 27 1C }
condition:
  $a at 0
}

rule keepass_kbd {
strings:
  $a = { 37 48 03 02 00 00 00 00 58 35 30 39 4B 45 59 }
condition:
  $a at 0
}

rule pgp {
strings:
  $a = { 85 ?? ?? 03 }
condition:
  $a at 0
}

rule coff {
strings:
  $a = { 4C 01 }
condition:
  $a at 0
}

rule cab {
strings:
  $a = { 4D 53 43 46 }
  $b = { 49 53 63 28 }
condition:
  $a at 0 or $b at 0
}

rule ms_pdb {
strings:
  $a = { 4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20 }
condition:
  $a at 0
}

rule hlp {
strings:
  $a = { 3F 5F 03 00 }
condition:
  $a at 0
}

rule vmdk {
strings:
  $a = { 4B 44 4D 56 }
condition:
  $a at 0
}

rule nvram {
strings:
  $a = { 4D 52 56 4E }
condition:
  $a at 0
}

rule pst {
strings:
  $a = { 21 42 44 4E }
condition:
  $a at 0
}

rule pdf {
strings:
  $a = { 25 50 44 46 }
condition:
  $a in (0..1024)
}

rule pdf_alt {
strings:
  $a = "%PDF"
condition:
  $a at 0
}

rule docx {
strings:
  $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  $worddoc = "WordDocument" wide
  $msworddoc = "MSWordDoc" nocase
condition:
  $rootentry and ($worddoc or $msworddoc)
}

rule xlsx {
strings:
  $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
  $workbook = "Workbook" wide nocase
  $msexcel = "Microsoft Excel" nocase
condition:
  all of them
}

rule pptx {
strings:
  $pptdoc = "PowerPoint Document" wide nocase
  $rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
condition:
  all of them
}

rule ooxml {
strings:
  $a = { 50 4B 03 04 14 00 06 00 }
condition:
  $a at 0
}

rule oxml {
strings:
  $a = "30	[Content_Types].xml"
condition:
  $a at 0
}

rule mdb {
strings:
  $a = { 53 74 61 6E 64 61 72 64 20 4A 65 74 }
  $b = { 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 }
condition:
  $a at 0 or $b at 0
}

rule mdf {
strings:
  $a = { 01 0F 00 00 }
condition:
  $a at 0
}

rule accdb {
strings:
  $a = { 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 }
condition:
  $a at 0
}

rule mny {
strings:
  $a = { 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 }
condition:
  $a at 0
}

rule ps {
strings:
  $a = { 25 21 }
condition:
  $a at 0
}

rule eps {
strings:
  $a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30 }
condition:
  $a at 0
}

rule sln {
strings:
  $a = { 4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65 }
condition:
  $a at 0
}

rule xcf {
strings:
  $a = { 67 69 6D 70 20 78 63 66 20 76 }
condition:
  $a at 0
}

rule ttf {
strings:
  $a = { 00 01 00 00 00 }
condition:
  $a at 0
}

rule enc {
strings:
  $a = { 00 5C 41 B1 FF }
condition:
  $a at 0
}

rule aes {
strings:
  $a = { 41 45 53 }
condition:
  $a at 0
}

rule pak {
strings:
  $a = { 1A 0B }
condition:
  $a at 0
}

rule webm {
strings:
  $a = { 1A 45 DF A3 }
condition:
  $a at 0
}

rule mks {
strings:
  $a = { 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 }
condition:
  $a at 0
}

rule avi {
strings:
  $a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
condition:
  $a at 0
}

rule cdda {
strings:
  $a = { 52 49 46 46 ?? ?? ?? ?? 43 44 44 41 66 6D 74 20 }
condition:
  $a at 0
}

rule rmi {
strings:
  $a = { 52 49 46 46 ?? ?? ?? ?? 52 4D 49 44 64 61 74 61 }
condition:
  $a at 0
}

rule wav {
strings:
  $a = { 52 49 46 46 ?? ?? ?? ?? 57 41 56 45 66 6D 74 20 }
condition:
  $a at 0
}

rule ogg {
strings:
  $a = { 4F 67 67 53 00 02 00 00 00 00 00 00 00 00 }
condition:
  $a at 0
}

rule flac {
strings:
  $a = { 66 4C 61 43 00 00 00 22 }
condition:
  $a at 0
}


rule vcf {
strings:
  $a = { 42 45 47 49 4E 3A 56 43 41 52 44 0D 0A }
condition:
  $a at 0
}

rule chm {
strings:
  $a = { 49 54 53 46 }
condition:
  $a at 0
}

rule lnk {
strings:
  $a = { 4C 00 00 00 01 14 02 00 }
condition:
  $a at 0
}

rule lnk_alt {
strings:
  $a = "\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
condition:
  $a at 0
}

rule mdmp {
strings:
  $a = { 50 41 47 45 44 55 36 34 }
condition:
  $a at 0
}

rule dmp {
strings:
  $a = { 41 47 45 44 55 4D 50 }
condition:
  $a at 0
}

rule pksfx {
strings:
  $a = { 50 4B 53 70 58 }
condition:
  $a at 526
}

rule rar {
strings:
  $a = { 52 61 72 21 1A 07 00 }
  $b = "Rar!\x1a\x07\x00"
  $c = { 52 61 72 21 1A 07 01 00 }
condition:
  $a at 0 or $b at 0 or $c at 0
}

rule arj {
strings:
  $a = { 60 EA }
condition:
  $a at 0
}

rule xz {
strings:
  $a = { FD 37 7A 58 5A 00 }
condition:
  $a at 0
}

rule dex {
strings:
  $a = { 64 65 78 0A 30 30 39 00 }
condition:
  $a at 0
}

rule ms_zone_id {
strings:
  $a = { 5B 5A 6F 6E 65 54 72 61 6E 73 66 65 72 5D }
condition:
  $a at 0
}

rule eml {
strings:
  $a = { 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 }
  $b = { 58 2D }
condition:
  $a at 0 or $b at 0
}

rule pch {
strings:
  $a = { 56 43 50 43 48 30 }
condition:
  $a at 0
}

rule yara {
strings:
  $a = "YARA"
condition:
  $a at 0
}

rule zip {
strings:
  $a = { 50 4B 03 04 }
condition:
  $a at 0
}

rule epub {
strings:
  $a = "PK\x03\x04"
condition:
  $a at 0
}

rule zip_winzip {
strings:
  $a = { 57 69 6E 5A 69 70 }
condition:
  $a at 0
}

rule ani {
strings:
  $a = { 52 49 46 46 }
condition:
  $a at 0
}

rule elf {
strings:
  $a = { 7F 45 4C 46 }
condition:
  $a at 0
}

rule tcpdump {
strings:
  $a = { A1 B2 CD 34 }
condition:
  $a at 0
}

rule pcap {
strings:
  $a = { A1 B2 C3 D4 }
  $b = { d4 c3 b2 a1 }
condition:
  $a at 0 or $b at 0
}

rule pcapng {
strings:
  $a = { 0a 0d 0d 0a }
condition:
  $a at 0
}

rule jce {
strings:
  $a = { CE CE CE CE }
condition:
  $a at 0
}

rule jks {
strings:
  $a = { FE ED FE ED }
condition:
  $a at 0
}

rule ios_app {
strings:
  $a = { CE FA ED FE }
condition:
  $a at 0
}

rule rpm {
strings:
  $a = { AB EE DB }
condition:
  $a at 0
}

rule deb {
strings:
  $a = { 21 3C 61 72 63 68 3E }
condition:
  $a at 0
}

rule sys {
strings:
  $a = { FF 4B 45 59 42 20 20 20 }
condition:
  $a at 0
}

rule applefile {
strings:
  $a = { 00 05 16 00 }
condition:
  $a at 0
}

rule txt_utf8 {
strings:
  $a = { EF BB BF }
condition:
  $a at 0
}

rule txt_utf16_be {
strings:
  $a = { FE FF }
condition:
  $a at 0
}

rule txt_utf16_le {
strings:
  $a = { FF FE }
condition:
  $a at 0
}

rule txt_utf32_be {
strings:
  $a = { 00 00 FE FF }
condition:
  $a at 0
}

rule txt_utf32_le {
strings:
  $a = { FF FE 00 00 }
condition:
  $a at 0
}

rule txt {
strings:
  $a = { 00 }
condition:
  not $a in (0..160)
}

// rule xxxx {
// strings:
//   $a = {  }
// condition:
//   $a at 0
// }
	rule pe_32 {
	condition:
	uint16(0) == 0x5A4D and
	uint32(uint32(0x3C)) == 0x00004550
	}

	rule pe_dos {
	condition:
	uint16(0) == 0x5A4D
	}

	rule winevtx {
	strings:
	$a = "ElfFile\x00"
	$b = { 45 6c 66 46 69 6c 65 }
	condition:
	$a at 0 or $b at 0
	}

	rule winevt {
	strings:
	$a = "\x30\x00\x00\x00LfLe\x01\x00\x00\x00\x01\x00\x00\x00"
	condition:
	$a at 0
	}

	rule esedb {
	strings:
	$a = "\xef\xcd\xab\x89"
	condition:
	$a at 4
	}

	rule ntfs_mft {
	strings:
	$a = "FILE"
	condition:
	$a at 0
	}

	rule ntfs_boot {
	strings:
	$a = { eb 52 90 4e 54 46 53 }
	condition:
	$a at 0
	}

	rule ntfs_logfile {
	strings:
	$a = { 52 53 54 52 }
	condition:
	$a at 0
	}

	rule ewf_e01 {
	strings:
	$a = "EVF\x09\x0d\x0a\xff\x00"
	$b = { 45 56 46 09}
	condition:
	$a at 0 or $b at 0
	}

	rule ewf_l01 {
	strings:
	$a = "LVF\x09\x0d\x0a\xff\x00"
	condition:
	$a at 0
	}

	rule ewf_v2 {
	strings:
	$a = { 45 56 46 32 }
	condition:
	$a at 0
	}

	rule ewf_v1 {
	strings:
	$a = { 45 56 46 }
	condition:
	$a at 0
	}

	rule msiecf {
	strings:
	$a = "Client\x20UrlCache\x20MMF\x20Ver\x20"
	condition:
	$a at 0
	}

	rule qcow {
	strings:
	$a = "QFI\xfb"
	condition:
	$a at 0
	}

	rule winreg {
	strings:
	$a = "regf"
	condition:
	$a at 0
	}

	rule sqlite2 {
	strings:
	$a = "**\x20This\x20file\x20contains\x20an\x20SQLite\x202"
	condition:
	$a at 0
	}

	rule sqlite3 {
	strings:
	$a = "SQLite\x20format\x203\x00"
	condition:
	$a at 0
	}

	rule sqlite {
	strings:
	$a = { 53 51 4c 69 74 65 20 66 6f 72 6d 61 74 20 33 00 }
	condition:
	$a at 0
	}

	rule vhdx {
	strings:
	$a = { 76 68 64 78 66 69 6C 65 }
	condition:
	$a at 0
	}

	rule vhdi_header {
	strings:
	$a = "conectix"
	condition:
	$a at 0
	}

	rule vhd {
	strings:
	$a = { 63 6F 6E 6E 65 63 74 69 78 }
	condition:
	$a at 0
	}

	rule vdi {
	strings:
	$a = { 3C 3C 3C 20 4F 72 61 63 6C 65 20 56 4D 20 56 69 72 74 75 61 6C 42 6F 78 20 44 69 73 6B 20 49 6D 61 67 65 20 3E 3E 3E }
	condition:
	$a at 0
	}

	rule winprefetch {
	strings:
	$a = "SCCA"
	condition:
	$a at 4
	}

	rule winprefetch_alt {
	strings:
	$a = "MAM\x04"
	condition:
	$a at 0
	}

	rule wtcdb_cache {
	strings:
	$a = "CMMM"
	$b = { 43 4d 4d 4d }
	condition:
	$a at 0 or $b at 0
	}

	rule wtcdb_index {
	strings:
	$a = "IMMM"
	condition:
	$a in (0..100)
	}

	rule xml {
	strings:
	$a = { 72 73 69 6F 6E 3D 22 31 2E 30 22 3F 3E }
	$b = { 3c 3f 78 6d 6c 20 }
	condition:
	$a at 0 or $b at 0
	}

	rule chrome_crx {
	strings:
	$a = { 43 72 32 34 }
	condition:
	$a at 0
	}

	rule ms_doc {
	strings:
	$a = { EC A5 C1 00 }
	condition:
	$a at 512
	}

	rule ms_xls {
	strings:
	$a = { 09 08 10 00 00 06 05 00 }
	condition:
	$a at 512
	}

	rule custom_destinations {
	strings:
	$a = { 02 00 00 00 01 00 00 00 00 00 00 00 02 00 }
	condition:
	$a at 0
	}

	rule automatic_destinations {
	strings:
	$a = { d0 cf 11 e0 a1 b1 1a e1 00 00 }
	condition:
	$a at 0
	}

	rule plist {
	strings:
	$a = "bplist"
	condition:
	$a at 0
	}

	rule safari_cookies {
	strings:
	$a = "cook\x00"
	condition:
	$a at 0
	}

	rule asl_log {
	strings:
	$a = "ASL DB\x00\x00\x00\x00\x00\x00"
	condition:
	$a at 0
	}

	rule utmpx {
	strings:
	$a = "utmpx-1.00\x00"
	condition:
	$a at 0
	}

	rule systemd_journal {
	strings:
	$a = "LPKSHHRH"
	condition:
	$a at 0
	}

	rule mac_keychain {
	strings:
	$a = "kych"
	condition:
	$a at 0
	}

	rule fseventsd {
	strings:
	$a = "cls._DLS_V?_SIGNATURE"
	condition:
	$a at 0
	}

	rule spotlight_storedb {
	strings:
	$a = "8tsd"
	condition:
	$a at 0
	}

	rule rtf {
	strings:
	$a = { 7B 5C 72 74 66 31 }
	condition:
	$a at 0
	}

	rule olecf {
	strings:
	$a = {d0 cf 11 e0 a1 b1 1a e1}
	condition:
	$a at 0
	}

	rule olecf_beta {
	strings:
	$a = { 0e 11 fc 0d d0 cf 11 0e }
	condition:
	$a at 0
	}

	rule bmp {
	strings:
	$a = { 42 4D }
	condition:
	$a at 0
	}

	rule java_class {
	strings:
	$a = { CA FE BA BE }
	condition:
	$a at 0
	}

	rule java_jar {
	strings:
	$a = { 50 4B 03 04 14 00 08 00 08 00 }
	$b = { 5F 27 A8 89 }
	condition:
	$a at 0 or $b at 0
	}

	rule jpeg {
	strings:
	$a = { FF D8 FF }
	condition:
	$a at 0
	}

	rule jpeg_2000 {
	strings:
	$a = { 00 00 00 0C 6A 50 20 20 0D 0A }
	condition:
	$a at 0
	}

	rule gif {
	strings:
	$a = { 47 49 46 38 }
	condition:
	$a at 0
	}

	rule tiff {
	strings:
	$a = { 49 20 49 }
	$b = { 49 49 2A 00 }
	condition:
	$a at 0 or $b at 0
	}

	rule png {
	strings:
	$a = { 89 50 4E 47 0D 0A 1A 0A }
	condition:
	$a at 0
	}

	rule webp {
	strings:
	$a = { 52 49 46 46 ?? ?? ?? ?? 57 45 42 50 }
	condition:
	$a at 0
	}

	rule psd {
	strings:
	$a = { 38 42 50 53 }
	condition:
	$a at 0
	}

	rule wmf {
	strings:
	$a = { D7 CD C6 9A }
	$b = { 01 00 09 00 00 03 }
	condition:
	$a at 0 or $b at 0
	}

	rule midi {
	strings:
	$a = { 4D 54 68 64 }
	condition:
	$a at 0
	}

	rule ico {
	strings:
	$a = { 00 00 01 00 }
	condition:
	$a at 0
	}

	rule cursor {
	strings:
	$a = { 00 00 02 00 }
	condition:
	$a at 0
	}

	rule mp3 {
	strings:
	$a = { FF FB }
	$b = { FF F3 }
	$c = { FF F2 }
	$d = { 49 44 33 }
	condition:
	$a at 0 or $b at 0 or $c at 0 or $d at 0
	}

	rule swf {
	strings:
	$a = { 46 57 53 }
	condition:
	$a at 0
	}

	rule flv {
	strings:
	$a = { 46 4C 56 01 }
	condition:
	$a at 0
	}

	rule adobe_sol {
	strings:
	$a = { 00 BF }
	condition:
	$a at 0
	}

	rule mp4 {
	strings:
	$a = { 00 00 00 18 66 74 79 70 6D 70 34 32 }
	$b = { 00 00 00 20 66 74 79 70 69 73 6F 6D }
	condition:
	$a at 0 or $b at 4
	}

	rule m4a {
	strings:
	$a = { 00 00 00 1C 66 74 79 70 4D 53 4E 56 01 29 00 46 4D 53 4E 56 6D 70 34 32 }
	condition:
	$a at 0
	}

	rule mov {
	strings:
	$a = { 6D 6F 6F 76 }
	condition:
	$a at 0
	}

	rule qt_mov {
	strings:
	$a = { 66 74 79 70 71 74 20 20 }
	condition:
	$a at 4
	}

	rule mp4_qt {
	strings:
	$a = { 66 74 79 70 6D 70 34 32 }
	condition:
	$a at 4
	}

	rule wmv {
	strings:
	$a = { 30 26 B2 75 8E 66 CF }
	condition:
	$a at 0
	}

	rule gzip {
	strings:
	$a = { 1F 8B 08 }
	condition:
	$a at 0
	}

	rule bzip2 {
	strings:
	$a = { 42 5A 68 }
	condition:
	$a at 0
	}

	rule bzip2_alt {
	strings:
	$a = "\x31\x41\x59\x26\x53\x59"
	condition:
	$a at 4
	}

	rule tar {
	strings:
	$a = { 75 73 74 61 72 }
	condition:
	$a at 0
	}

	rule tar_alt1 {
	strings:
	$a = { 75 73 74 61 72 }
	condition:
	$a at 257
	}

	rule tar_alt2 {
	strings:
	$a = "ustar\x00"
	condition:
	$a at 257
	}

	rule tar_alt3 {
	strings:
	$a = "257 ustar\x20\x20\x00"
	condition:
	$a at 257
	}

	rule tar_zv {
	strings:
	$a = { 1F 9D }
	$b = { 1F A0 }
	condition:
	$a at 0 or $b at 0
	}

	rule tar_zh {
	strings:
	$a = { 2D 6C 68 }
	condition:
	$a at 2
	}

	rule seven_z {
	strings:
	$a = { 37 7A BC AF 27 1C }
	condition:
	$a at 0
	}

	rule keepass_kbd {
	strings:
	$a = { 37 48 03 02 00 00 00 00 58 35 30 39 4B 45 59 }
	condition:
	$a at 0
	}

	rule pgp {
	strings:
	$a = { 85 ?? ?? 03 }
	condition:
	$a at 0
	}

	rule coff {
	strings:
	$a = { 4C 01 }
	condition:
	$a at 0
	}

	rule cab {
	strings:
	$a = { 4D 53 43 46 }
	$b = { 49 53 63 28 }
	condition:
	$a at 0 or $b at 0
	}

	rule ms_pdb {
	strings:
	$a = { 4D 69 63 72 6F 73 6F 66 74 20 43 2F 43 2B 2B 20 }
	condition:
	$a at 0
	}

	rule hlp {
	strings:
	$a = { 3F 5F 03 00 }
	condition:
	$a at 0
	}

	rule vmdk {
	strings:
	$a = { 4B 44 4D 56 }
	condition:
	$a at 0
	}

	rule nvram {
	strings:
	$a = { 4D 52 56 4E }
	condition:
	$a at 0
	}

	rule pst {
	strings:
	$a = { 21 42 44 4E }
	condition:
	$a at 0
	}

	rule pdf {
	strings:
	$a = { 25 50 44 46 }
	condition:
	$a in (0..1024)
	}

	rule pdf_alt {
	strings:
	$a = "%PDF"
	condition:
	$a at 0
	}

	rule docx {
	strings:
	$rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
	$worddoc = "WordDocument" wide
	$msworddoc = "MSWordDoc" nocase
	condition:
	$rootentry and ($worddoc or $msworddoc)
	}

	rule xlsx {
	strings:
	$rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
	$workbook = "Workbook" wide nocase
	$msexcel = "Microsoft Excel" nocase
	condition:
	all of them
	}

	rule pptx {
	strings:
	$pptdoc = "PowerPoint Document" wide nocase
	$rootentry = { 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }
	condition:
	all of them
	}

	rule ooxml {
	strings:
	$a = { 50 4B 03 04 14 00 06 00 }
	condition:
	$a at 0
	}

	rule oxml {
	strings:
	$a = "30 [Content_Types].xml"
	condition:
	$a at 0
	}

	rule mdb {
	strings:
	$a = { 53 74 61 6E 64 61 72 64 20 4A 65 74 }
	$b = { 00 01 00 00 53 74 61 6E 64 61 72 64 20 4A 65 74 20 44 42 }
	condition:
	$a at 0 or $b at 0
	}

	rule mdf {
	strings:
	$a = { 01 0F 00 00 }
	condition:
	$a at 0
	}

	rule accdb {
	strings:
	$a = { 00 01 00 00 53 74 61 6E 64 61 72 64 20 41 43 45 20 44 42 }
	condition:
	$a at 0
	}

	rule mny {
	strings:
	$a = { 00 01 00 00 4D 53 49 53 41 4D 20 44 61 74 61 62 61 73 65 }
	condition:
	$a at 0
	}

	rule ps {
	strings:
	$a = { 25 21 }
	condition:
	$a at 0
	}

	rule eps {
	strings:
	$a = { 25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50 53 46 2D 33 20 30 }
	condition:
	$a at 0
	}

	rule sln {
	strings:
	$a = { 4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20 53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46 69 6C 65 }
	condition:
	$a at 0
	}

	rule xcf {
	strings:
	$a = { 67 69 6D 70 20 78 63 66 20 76 }
	condition:
	$a at 0
	}

	rule ttf {
	strings:
	$a = { 00 01 00 00 00 }
	condition:
	$a at 0
	}

	rule enc {
	strings:
	$a = { 00 5C 41 B1 FF }
	condition:
	$a at 0
	}

	rule aes {
	strings:
	$a = { 41 45 53 }
	condition:
	$a at 0
	}

	rule pak {
	strings:
	$a = { 1A 0B }
	condition:
	$a at 0
	}

	rule webm {
	strings:
	$a = { 1A 45 DF A3 }
	condition:
	$a at 0
	}

	rule mks {
	strings:
	$a = { 1A 45 DF A3 93 42 82 88 6D 61 74 72 6F 73 6B 61 }
	condition:
	$a at 0
	}

	rule avi {
	strings:
	$a = { 52 49 46 46 ?? ?? ?? ?? 41 56 49 20 4C 49 53 54 }
	condition:
	$a at 0
	}

	rule cdda {
	strings:
	$a = { 52 49 46 46 ?? ?? ?? ?? 43 44 44 41 66 6D 74 20 }
	condition:
	$a at 0
	}

	rule rmi {
	strings:
	$a = { 52 49 46 46 ?? ?? ?? ?? 52 4D 49 44 64 61 74 61 }
	condition:
	$a at 0
	}

	rule wav {
	strings:
	$a = { 52 49 46 46 ?? ?? ?? ?? 57 41 56 45 66 6D 74 20 }
	condition:
	$a at 0
	}

	rule ogg {
	strings:
	$a = { 4F 67 67 53 00 02 00 00 00 00 00 00 00 00 }
	condition:
	$a at 0
	}

	rule flac {
	strings:
	$a = { 66 4C 61 43 00 00 00 22 }
	condition:
	$a at 0
	}


	rule vcf {
	strings:
	$a = { 42 45 47 49 4E 3A 56 43 41 52 44 0D 0A }
	condition:
	$a at 0
	}

	rule chm {
	strings:
	$a = { 49 54 53 46 }
	condition:
	$a at 0
	}

	rule lnk {
	strings:
	$a = { 4C 00 00 00 01 14 02 00 }
	condition:
	$a at 0
	}

	rule lnk_alt {
	strings:
	$a = "\x4c\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
	condition:
	$a at 0
	}

	rule mdmp {
	strings:
	$a = { 50 41 47 45 44 55 36 34 }
	condition:
	$a at 0
	}

	rule dmp {
	strings:
	$a = { 41 47 45 44 55 4D 50 }
	condition:
	$a at 0
	}

	rule pksfx {
	strings:
	$a = { 50 4B 53 70 58 }
	condition:
	$a at 526
	}

	rule rar {
	strings:
	$a = { 52 61 72 21 1A 07 00 }
	$b = "Rar!\x1a\x07\x00"
	$c = { 52 61 72 21 1A 07 01 00 }
	condition:
	$a at 0 or $b at 0 or $c at 0
	}

	rule arj {
	strings:
	$a = { 60 EA }
	condition:
	$a at 0
	}

	rule xz {
	strings:
	$a = { FD 37 7A 58 5A 00 }
	condition:
	$a at 0
	}

	rule dex {
	strings:
	$a = { 64 65 78 0A 30 30 39 00 }
	condition:
	$a at 0
	}

	rule ms_zone_id {
	strings:
	$a = { 5B 5A 6F 6E 65 54 72 61 6E 73 66 65 72 5D }
	condition:
	$a at 0
	}

	rule eml {
	strings:
	$a = { 52 65 74 75 72 6E 2D 50 61 74 68 3A 20 }
	$b = { 58 2D }
	condition:
	$a at 0 or $b at 0
	}

	rule pch {
	strings:
	$a = { 56 43 50 43 48 30 }
	condition:
	$a at 0
	}

	rule yara {
	strings:
	$a = "YARA"
	condition:
	$a at 0
	}

	rule zip {
	strings:
	$a = { 50 4B 03 04 }
	condition:
	$a at 0
	}

	rule epub {
	strings:
	$a = "PK\x03\x04"
	condition:
	$a at 0
	}

	rule zip_winzip {
	strings:
	$a = { 57 69 6E 5A 69 70 }
	condition:
	$a at 0
	}

	rule ani {
	strings:
	$a = { 52 49 46 46 }
	condition:
	$a at 0
	}

	rule elf {
	strings:
	$a = { 7F 45 4C 46 }
	condition:
	$a at 0
	}

	rule tcpdump {
	strings:
	$a = { A1 B2 CD 34 }
	condition:
	$a at 0
	}

	rule pcap {
	strings:
	$a = { A1 B2 C3 D4 }
	$b = { d4 c3 b2 a1 }
	condition:
	$a at 0 or $b at 0
	}

	rule pcapng {
	strings:
	$a = { 0a 0d 0d 0a }
	condition:
	$a at 0
	}

	rule jce {
	strings:
	$a = { CE CE CE CE }
	condition:
	$a at 0
	}

	rule jks {
	strings:
	$a = { FE ED FE ED }
	condition:
	$a at 0
	}

	rule ios_app {
	strings:
	$a = { CE FA ED FE }
	condition:
	$a at 0
	}

	rule rpm {
	strings:
	$a = { AB EE DB }
	condition:
	$a at 0
	}

	rule deb {
	strings:
	$a = { 21 3C 61 72 63 68 3E }
	condition:
	$a at 0
	}

	rule sys {
	strings:
	$a = { FF 4B 45 59 42 20 20 20 }
	condition:
	$a at 0
	}

	rule applefile {
	strings:
	$a = { 00 05 16 00 }
	condition:
	$a at 0
	}

	rule txt_utf8 {
	strings:
	$a = { EF BB BF }
	condition:
	$a at 0
	}

	rule txt_utf16_be {
	strings:
	$a = { FE FF }
	condition:
	$a at 0
	}

	rule txt_utf16_le {
	strings:
	$a = { FF FE }
	condition:
	$a at 0
	}

	rule txt_utf32_be {
	strings:
	$a = { 00 00 FE FF }
	condition:
	$a at 0
	}

	rule txt_utf32_le {
	strings:
	$a = { FF FE 00 00 }
	condition:
	$a at 0
	}

	rule txt {
	strings:
	$a = { 00 }
	condition:
	not $a in (0..160)
	}

	// rule xxxx {
	// strings:
	// $a = { }
	// condition:
	// $a at 0
	// }