Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Generic_Phishing_PDF
- {
- meta:
- description = "Identifies generic phishing PDFs."
- author = "@bartblaze"
- date = "2019-03"
- tlp = "White"
- reference = "https://bartblaze.blogspot.com/2019/03/analysing-massive-office-365-phishing.html"
- strings:
- $pdf = {25504446} //%PDF
- $s1 = "<xmp:CreatorTool>RAD PDF</xmp:CreatorTool>"
- $s2 = "<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"DynaPDF"
- condition:
- $pdf at 0 and all of ($s*)
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
