Malware Dropper - DOCM in PDF

2024-11-06 18:15:20 +00:00 · 2017-05-15 19:36:58 +02:00 · 2017-05-15 19:36:58 +02:00 · e65845f278
commit e65845f278
parent 6b66ad72b8
1 changed files with 14 additions and 0 deletions
--- a/yara/general_officemacros.yar
+++ b/yara/general_officemacros.yar
@ -44,3 +44,17 @@ rule Office_as_MHTML {
 		uint32be(0) == 0x4d494d45 // "MIME" header
 		and all of ($s*) and 1 of ($x*)
 }
+
+rule Docm_in_PDF {
+   meta:
+      description = "Detects an embedded DOCM in PDF combined with OpenAction"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2017-05-15"
+   strings:
+      $a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
+      $a2 = "OpenAction" ascii fullword
+      $a3 = "JavaScript" ascii fullword
+   condition:
+      uint32(0) == 0x46445025 and all of them
+}