forked from DarkenCode/yara-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalicious_document.yar
237 lines (212 loc) · 6.86 KB
/
malicious_document.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.
*/
rule maldoc_API_hashing
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {AC 84 C0 74 07 C1 CF 0D 01 C7 EB F4 81 FF}
$a2 = {AC 84 C0 74 07 C1 CF 07 01 C7 EB F4 81 FF}
condition:
any of them
}
rule maldoc_function_prolog_signature
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {55 8B EC 81 EC}
$a2 = {55 8B EC 83 C4}
$a3 = {55 8B EC E8}
$a4 = {55 8B EC E9}
$a5 = {55 8B EC EB}
condition:
any of them
}
rule maldoc_structured_exception_handling
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 00 00 00 00}
$a2 = {64 A1 00 00 00 00}
condition:
any of them
}
rule maldoc_indirect_function_call_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF 75 ?? FF 55 ??}
condition:
for any i in (1..#a): (uint8(@a[i] + 2) == uint8(@a[i] + 5))
}
rule maldoc_indirect_function_call_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B5 ?? ?? ?? ?? FF 95 ?? ?? ?? ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 2) == uint8(@a[i] + 8)) and (uint8(@a[i] + 3) == uint8(@a[i] + 9)) and (uint8(@a[i] + 4) == uint8(@a[i] + 10)) and (uint8(@a[i] + 5) == uint8(@a[i] + 11)))
}
rule maldoc_indirect_function_call_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {FF B7 ?? ?? ?? ?? FF 57 ??}
condition:
$a
}
rule maldoc_find_kernel32_base_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {64 8B (05|0D|15|1D|25|2D|35|3D) 30 00 00 00}
$a2 = {64 A1 30 00 00 00}
condition:
any of them
}
rule maldoc_find_kernel32_base_method_2
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {31 ?? ?? 30 64 8B ??}
condition:
for any i in (1..#a): ((uint8(@a[i] + 1) >= 0xC0) and (((uint8(@a[i] + 1) & 0x38) >> 3) == (uint8(@a[i] + 1) & 0x07)) and ((uint8(@a[i] + 2) & 0xF8) == 0xA0) and (uint8(@a[i] + 6) <= 0x3F) and (((uint8(@a[i] + 6) & 0x38) >> 3) != (uint8(@a[i] + 6) & 0x07)))
}
rule maldoc_find_kernel32_base_method_3
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {68 30 00 00 00 (58|59|5A|5B|5C|5D|5E|5F) 64 8B ??}
condition:
for any i in (1..#a): (((uint8(@a[i] + 5) & 0x07) == (uint8(@a[i] + 8) & 0x07)) and (uint8(@a[i] + 8) <= 0x3F) and (((uint8(@a[i] + 8) & 0x38) >> 3) != (uint8(@a[i] + 8) & 0x07)))
}
rule maldoc_getEIP_method_1
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {E8 00 00 00 00 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
$a
}
rule maldoc_getEIP_method_4
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a1 = {D9 EE D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
$a2 = {D9 EE 9B D9 74 24 F4 (58|59|5A|5B|5C|5D|5E|5F)}
condition:
any of them
}
rule maldoc_OLE_file_magic_number
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a = {D0 CF 11 E0}
condition:
$a
}
rule maldoc_suspicious_strings
{
meta:
author = "Didier Stevens (https://DidierStevens.com)"
strings:
$a01 = "CloseHandle"
$a02 = "CreateFile"
$a03 = "GetProcAddr"
$a04 = "GetSystemDirectory"
$a05 = "GetTempPath"
$a06 = "GetWindowsDirectory"
$a07 = "IsBadReadPtr"
$a08 = "IsBadWritePtr"
$a09 = "LoadLibrary"
$a10 = "ReadFile"
$a11 = "SetFilePointer"
$a12 = "ShellExecute"
$a13 = "UrlDownloadToFile"
$a14 = "VirtualAlloc"
$a15 = "WinExec"
$a16 = "WriteFile"
condition:
any of them
}
rule mwi_document : exploitdoc
{
meta:
description = "MWI generated document"
author = "@Ydklijnsma"
source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
strings:
$field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
$mwistat_url = ".php?id="
$field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
condition:
all of them
}
rule macrocheck
{
meta:
Author = "Fireeye Labs"
Date = "2014/11/30"
Description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)."
Reference = "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html"
strings:
$PARAMpword = "pword=" ascii wide
$PARAMmsg = "msg=" ascii wide
$PARAMuname = "uname=" ascii
$userform = "UserForm" ascii wide
$userloginform = "UserLoginForm" ascii wide
$invalid = "Invalid username or password" ascii wide
$up1 = "uploadPOST" ascii wide
$up2 = "postUpload" ascii wide
condition:
all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2))
}
rule office_document_vba
{
meta:
description = "Office document with embedded VBA"
author = "Jean-Philippe Teissier / @Jipe_"
date = "2013-12-17"
reference = "https://github.com/jipegit/"
strings:
$officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
$zipmagic = "PK"
$97str1 = "_VBA_PROJECT_CUR" wide
$97str2 = "VBAProject"
$97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F }
$xmlstr1 = "vbaProject.bin"
$xmlstr2 = "vbaData.xml"
condition:
($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}
rule Office_AutoOpen_Macro {
meta:
description = "Detects an Microsoft Office file that contains the AutoOpen Macro function"
author = "Florian Roth"
date = "2015-05-28"
score = 60
hash1 = "4d00695d5011427efc33c9722c61ced2"
hash2 = "63f6b20cb39630b13c14823874bd3743"
hash3 = "66e67c2d84af85a569a04042141164e6"
hash4 = "a3035716fe9173703941876c2bde9d98"
hash5 = "7c06cab49b9332962625b16f15708345"
hash6 = "bfc30332b7b91572bfe712b656ea8a0c"
hash7 = "25285b8fe2c41bd54079c92c1b761381"
strings:
$s1 = "AutoOpen" ascii fullword
$s2 = "Macros" wide fullword
condition:
uint32be(0) == 0xd0cf11e0 and all of ($s*) and filesize < 300000
}