Advertisement
bartblaze

Generic_Phishing_PDF.yar

Mar 4th, 2019
1,408
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.44 KB | None | 0 0
  1. rule Generic_Phishing_PDF
  2. {
  3. meta:
  4. description = "Identifies generic phishing PDFs."
  5. author = "@bartblaze"
  6. date = "2019-03"
  7. tlp = "White"
  8. reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
  9.  
  10. strings:
  11. $pdf = {25504446} //%PDF
  12. $s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
  13. $s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
  14.  
  15. condition:
  16. $pdf at 0 and all of ($s*)
  17. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement