2016-04-12 22:51:44 +00:00
|
|
|
rule RTF_Anti_Analysis_Header {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects a malformed RTF document header - Anti-Analysis tricks"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "http://decalage.info/rtf_tricks"
|
|
|
|
|
date = "2016-04-12"
|
2016-04-12 22:55:43 +00:00
|
|
|
score = 70
|
2016-04-12 22:51:44 +00:00
|
|
|
condition:
|
|
|
|
|
uint32(0) == 0x74725C7B /* {\rt */
|
2016-04-12 23:04:53 +00:00
|
|
|
and not uint8(4) == 0x66 /* not followed by 'f' */
|
2016-04-12 22:51:44 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rule RTF_Anti_Analysis_Content {
|
|
|
|
|
meta:
|
|
|
|
|
description = "Detects a malformed RTF document header - Anti-Analysis tricks"
|
|
|
|
|
author = "Florian Roth"
|
|
|
|
|
reference = "http://decalage.info/rtf_tricks"
|
|
|
|
|
date = "2016-04-12"
|
2016-04-12 22:55:43 +00:00
|
|
|
score = 50
|
|
|
|
|
strings:
|
|
|
|
|
$r1 = /[\x0d\x0aa-f0-9\s]{64}(\{\\object\}|\\bin)[\x0d\x0aa-f0-9\s]{64}/ nocase
|
2016-04-12 22:51:44 +00:00
|
|
|
condition:
|
|
|
|
|
uint32(0) == 0x74725C7B /* {\rt */
|
2016-04-12 22:55:43 +00:00
|
|
|
and $r1
|
2016-04-12 22:51:44 +00:00
|
|
|
}
|
