mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-07 02:25:19 +00:00
26 lines
747 B
Plaintext
26 lines
747 B
Plaintext
rule RTF_Anti_Analysis_Header {
|
|
meta:
|
|
description = "Detects a malformed RTF document header - Anti-Analysis tricks"
|
|
author = "Florian Roth"
|
|
reference = "http://decalage.info/rtf_tricks"
|
|
date = "2016-04-12"
|
|
score = 70
|
|
condition:
|
|
uint32(0) == 0x74725C7B /* {\rt */
|
|
and not uint8(4) == 0x66 /* not followed by 'f' */
|
|
}
|
|
|
|
rule RTF_Anti_Analysis_Content {
|
|
meta:
|
|
description = "Detects a malformed RTF document header - Anti-Analysis tricks"
|
|
author = "Florian Roth"
|
|
reference = "http://decalage.info/rtf_tricks"
|
|
date = "2016-04-12"
|
|
score = 50
|
|
strings:
|
|
$r1 = /[\x0d\x0aa-f0-9\s]{64}(\{\\object\}|\\bin)[\x0d\x0aa-f0-9\s]{64}/ nocase
|
|
condition:
|
|
uint32(0) == 0x74725C7B /* {\rt */
|
|
and $r1
|
|
}
|