SHARE
TWEET

Generic_Phishing_PDF.yar

bartblaze Mar 4th, 2019 (edited) 327 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. rule Generic_Phishing_PDF
  2. {
  3. meta:
  4.     description = "Identifies generic phishing PDFs."
  5.     author = "@bartblaze"
  6.     date = "2019-03"
  7.     tlp = "White"
  8.     reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
  9.  
  10. strings:
  11.     $pdf = {25504446} //%PDF
  12.     $s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
  13.     $s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
  14.  
  15. condition:
  16.     $pdf at 0 and all of ($s*)
  17. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top