From b496ed91a64ab9fb7284bfa5c7e815165276382b Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 12 Apr 2017 19:11:36 +0200
Subject: [PATCH] Changed OLE2Link signature

---
 yara/exploit_rtf_ole2link.yar | 53 ++++++++++++++++++++++++++---------
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/yara/exploit_rtf_ole2link.yar b/yara/exploit_rtf_ole2link.yar
index 3fab9c0..26e271a 100644
--- a/yara/exploit_rtf_ole2link.yar
+++ b/yara/exploit_rtf_ole2link.yar
@@ -1,7 +1,6 @@
 rule malrtf_ole2link : exploit {
 	meta:
 		author = "@h3x2b <tracker _AT h3x.eu>"
-		date = "2017/04/12"
 		description = "Detect weaponized RTF documents with OLE2Link exploit"
 	strings:
 		//having objdata structure
@@ -22,16 +21,44 @@ rule malrtf_ole2link : exploit {
 		and any of ($rtf_payload_*)
 }
 
-rule rtf_objdata_urlmoniker_http {
-	meta:
-		author = "@nvisio_labs"
-		description = "Detects malicious RTF / OLE2link plus URL Moniker"
-		date = "2017/04/12"
-		reference = "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/"
-	strings:
-		$objdata = "objdata 0105000002000000" nocase
-		$urlmoniker = "E0C9EA79F9BACE118C8200AA004BA90B" nocase
-		$http = "68007400740070003a002f002f00" nocase
-	condition:
-		uint32be(0) == 0x7B5C7274 and $objdata and $urlmoniker and $http
+rule exploit_ole_stdolelink {
+  meta:
+    author = "David Cannings"
+    description = "StdOleLink, potential 0day in April 2017"
+
+  strings:
+    // Parsers will open files without the full 'rtf'
+    $header_rtf = "{\\rt" nocase
+    $header_office = { D0 CF 11 E0 }
+    $header_xml = "<?xml version=" nocase wide ascii
+
+    // Marks of embedded data (reduce FPs)
+    // RTF format
+    $embedded_object   = "\\object" nocase
+    $embedded_objdata  = "\\objdata" nocase
+    $embedded_ocx      = "\\objocx" nocase
+    $embedded_objclass = "\\objclass" nocase
+    $embedded_oleclass = "\\oleclsid" nocase
+
+    // XML Office documents
+    $embedded_axocx      = "<ax:ocx"  nocase wide ascii
+    $embedded_axclassid  = "ax:classid"  nocase wide ascii
+
+    // OLE format
+    $embedded_root_entry = "Root Entry" wide
+    $embedded_comp_obj   = "Comp Obj" wide
+    $embedded_obj_info   = "Obj Info" wide
+    $embedded_ole10      = "Ole10Native" wide
+
+    $data0 = "00000300-0000-0000-C000-000000000046" nocase wide ascii
+    $data1 = { 0003000000000000C000000000000046 }
+    $data2 = "OLE2Link" nocase wide ascii
+    $data3 = "4f4c45324c696e6b" nocase wide ascii
+    $data4 = "StdOleLink" nocase wide ascii
+    $data5 = "5374644f6c654c696e6b" nocase wide ascii
+
+  condition:
+    // Mandatory header plus sign of embedding, then any of the others
+    for any of ($header*) : ( @ == 0 ) and 1 of ($embedded*)
+        and (1 of ($data*))
 }