Merge remote-tracking branch 'origin/develop'

BayshoreNetworks · Aug 29, 2016 · 2e76b8a · 2e76b8a
2 parents adbb3f2 + 76ba2ba
commit 2e76b8a
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/test_rulesets/lorem_pdf.yara b/test_rulesets/lorem_pdf.yara
@@ -8,3 +8,21 @@ rule LOREM_FILE_BODY
         $lipsum_pdf_body_lorem
 }
 
+rule invalid_trailer_structure : PDF raw
+{
+	meta:
+		author = "Glenn Edwards (@hiddenillusion)"
+		version = "0.1"
+		weight = 1
+
+        strings:
+                $magic = { 25 50 44 46 }
+				// Required for a valid PDF
+                $reg0 = /trailer\r?\n?.*\/Size.*\r?\n?\.*/
+                $reg1 = /\/Root.*\r?\n?.*startxref\r?\n?.*\r?\n?%%EOF/
+
+        condition:
+                $magic at 0 and not $reg0 and not $reg1
+}
+
+