gistfile1.yara

/*
 * fmtid + 24 == number of property identifiers and offsets
 * fmtid + 28 == start of property identifier and offsets (4 bytes each)
 */
rule test {
  strings:
    //$fmtid = { 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae }
    $fmtid = { e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 }
    $redacted_author = "REDACTED AUTHOR"
  condition:
    $fmtid and
    for 3 i in (0..(uint32(@fmtid + 24) - 1) * 2):
      (
       i % 2 == 0 and // Skip every other dword (offsets)
       (
        (
         uint32(@fmtid[1] + 28 + (4 * i)) == 0x01 and // Codepage property
         uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x02 and // VT_I2 type
         uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x01b5 // OEM United States
        )
        or
        (
         uint32(@fmtid[1] + 28 + (4 * i)) == 0x08 and // Last author property
         uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x1e and // VT_LPSTR type
         $redacted_author at (@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4)) + 4)
        )
        or
        (
         uint32(@fmtid[1] + 28 + (4 * i)) == 0x0d and // Last saved property
         uint32(@fmtid[1] + 20 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0x40 and // VT_FILETIME type
         uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4))) == 0xffffffff and // dwLowDateTime
         uint32(@fmtid[1] + 24 + (uint32(@fmtid[1] + 28 + (4 * i) + 4)) + 4) == 0xffffffff // dwHighDateTime
        )
       )
      )
}