whichbuffer/Emotet_MalDoc.yara

## Emotet_MalDoc.yara
import "pe"
import "hash"

rule Emotet_MalDoc {
   meta:
      description = " - file Report.xls"
      author = "Arda Büyükkaya"
      date = "2022-11-15"
      hash1 = "6023b9ebfedf73d90a9dfbb2de6fca123b94c0e686ff71c67e89d9c8bb598d71"
      interesting_icon_hash = "main_icon_dhash:0033232700020000"
       interesting_icon_hash2 ="main_icon_dhash:0f0d000800000000"
   strings:
	$string1 = "18/-/8D==DVQVpp"
	$string2 = "07457358934307593258350725798323209:"
	$string3 = "JFIF"

	condition:
      uint16(0) == 0xcfd0 and filesize < 700KB and
	  2 of ($string1,$string2,$string3)
}
	import "pe"
	import "hash"

	rule Emotet_MalDoc {
	meta:
	description = " - file Report.xls"
	author = "Arda Büyükkaya"
	date = "2022-11-15"
	hash1 = "6023b9ebfedf73d90a9dfbb2de6fca123b94c0e686ff71c67e89d9c8bb598d71"
	interesting_icon_hash = "main_icon_dhash:0033232700020000"
	interesting_icon_hash2 ="main_icon_dhash:0f0d000800000000"
	strings:
	$string1 = "18/-/8D==DVQVpp"
	$string2 = "07457358934307593258350725798323209:"
	$string3 = "JFIF"

	condition:
	uint16(0) == 0xcfd0 and filesize < 700KB and
	2 of ($string1,$string2,$string3)
	}