-
Notifications
You must be signed in to change notification settings - Fork 55
/
PDF_Document_with_Embedded_IQY_File.rule
50 lines (46 loc) · 1.41 KB
/
PDF_Document_with_Embedded_IQY_File.rule
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
rule PDF_Document_with_Embedded_IQY_File
{
meta:
Author = "InQuest Labs"
Description = "This signature detects IQY files embedded within PDF documents which use a JavaScript OpenAction object to run the IQY."
Reference = "https://blog.inquest.net"
strings:
$pdf_magic = "%PDF"
$efile = /<<\/JavaScript [^\x3e]+\/EmbeddedFile/
$fspec = /<<\/Type\/Filespec\/F\(\w+\.iqy\)\/UF\(\w+\.iqy\)/
$openaction = /OpenAction<<\/S\/JavaScript\/JS\(/
/*
<</Type/Filespec/F(10082016.iqy)/UF(10082016.iqy)/EF<</F 1 0 R/UF 1 0 R>>/Desc(10082016.iqy)>>
...
<</Names[(10082016.iqy) 2 0 R]>>
...
<</JavaScript 9 0 R/EmbeddedFiles 10 0 R>>
...
OpenAction<</S/JavaScript/JS(
*/
/*
obj 1.9
Type: /EmbeddedFile
Referencing:
Contains stream
<<
/Length 51
/Type /EmbeddedFile
/Filter /FlateDecode
/Params
<<
/ModDate "(D:20180810145018+03'00')"
/Size 45
>>
>>
WEB
1
http://i86h.com/data1.dat
2
3
4
5
*/
condition:
$pdf_magic in (0..60) and all of them
}