diff --git a/setup.py b/setup.py
index a769e9f..50dcf65 100644
--- a/setup.py
+++ b/setup.py
@@ -5,14 +5,14 @@
setuptools.setup(
name="quicksand",
- version="2.0.12",
+ version="2.0.13",
author="Tyler McLellan",
author_email="nospam@tylabs.com",
description="QuickSand is a module to scan streams inside documents with Yara",
long_description=long_description,
long_description_content_type="text/markdown",
url="https://github.com/tylabs/quicksand",
- download_url="https://github.com/tylabs/quicksand/archive/refs/tags/2.0.12.tar.gz",
+ download_url="https://github.com/tylabs/quicksand/archive/refs/tags/2.0.13.tar.gz",
include_package_data=True,
keywords = ['document', 'malware', 'forensics', 'yara', 'parser'],
project_urls={
diff --git a/src/quicksand/quicksand_exe.yara b/src/quicksand/quicksand_exe.yara
index d39574e..4d31305 100644
--- a/src/quicksand/quicksand_exe.yara
+++ b/src/quicksand/quicksand_exe.yara
@@ -10,8 +10,7 @@ rule executable_win_pe {
date = "Dec 27 2015"
author = "@tylabs"
desc = "MZ Header"
- copyright = "QuickSand.io 2015"
- tlp = "green"
+ copyright = "tylabs.com 2015"
mitre = "T1027"
strings:
@@ -30,9 +29,7 @@ rule executable_win_pe_transposed {
author = "@tylabs"
desc = "MZ Transposed"
mitre = "T1027"
-
- copyright = "QuickSand.io 2015"
- tlp = "green"
+ copyright = "tylabs.com 2015"
strings:
$s1 = /ZM.{76}hTsip orrgma/
@@ -50,9 +47,7 @@ rule executable_win_pe_transposed_offbyone {
date = "Dec 27 2015"
author = "@tylabs"
desc = "MZ transposed and shifted"
-
- copyright = "QuickSand.io 2015"
- tlp = "green"
+ copyright = "tylabs.com 2015"
mitre = "T1027"
strings:
@@ -71,10 +66,9 @@ rule executable_win {
rank = 10
date = "July 29 2015"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
+ copyright = "tylabs.com 2015"
desc = "EXE strings"
mitre = "T1027"
- tlp = "green"
strings:
$s1 = "This program cannot be run in DOS mode"
@@ -120,8 +114,7 @@ rule executable_win_transposed {
date = "July 29 2015"
desc = "Transposition cipher"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
- tlp = "green"
+ copyright = "tylabs.com 2015"
mitre = "T1027"
strings:
@@ -139,9 +132,8 @@ rule executable_win_rtl {
date = "July 29 2015"
desc = "Right to Left compression LZNT1"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
+ copyright = "tylabs.com 2015"
mitre = "T1027"
- tlp = "green"
strings:
$s1 = {2070726F6772616D002063616E6E6F74200062652072756E2069006E20444F53206D6F} // string.RTL.This program cannot be run in DOS mode
condition:
@@ -157,9 +149,8 @@ rule executable_win_reversed {
date = "July 29 2015"
desc = "EXE is stored backwards"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
+ copyright = "tylabs.com 2015"
mitre = "T1027"
- tlp = "green"
strings:
$s1 = "edom SOD ni nur eb tonnac margorp sihT" // string.reverse This program cannot be run in DOS mode condition:
condition:
@@ -176,11 +167,10 @@ rule executable_vb {
type = "vb"
date = "July 29 2015"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
+ copyright = "tylabs.com 2015"
desc = "VB script"
mitre = "T1059.005"
- tlp = "green"
strings:
$s1 = "impersonationLevel=impersonate"
$s2 = "On Error Resume Next"
@@ -199,12 +189,11 @@ rule executable_macosx {
rank = 10
date = "July 29 2015"
author = "@tylabs"
- copyright = "QuickSand.io 2015"
+ copyright = "tylabs.com 2015"
desc = "Mac executable"
mitre = "T1027"
- tlp = "green"
strings:
$s1 = "RunAtLoad"
$s2 = "__mh_execute_header"
diff --git a/src/quicksand/quicksand_exploits.yara b/src/quicksand/quicksand_exploits.yara
index bb79b43..d33132c 100644
--- a/src/quicksand/quicksand_exploits.yara
+++ b/src/quicksand/quicksand_exploits.yara
@@ -10,9 +10,7 @@ rule warning_exec_ocx_object {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "OLE application command"
mitre = "T1204.002"
@@ -34,9 +32,7 @@ rule warning_scriptbridge {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "ScriptBridge may load remote exploit"
mitre = "T1204.002"
@@ -59,9 +55,7 @@ rule exploit_cve_2006_2492 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "smarttag overflow CVE-2006-2492"
mitre = "T1203 T1204.002"
@@ -83,9 +77,7 @@ rule exploit_cve_2009_3129 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "excel buffer overflow CVE-2009-3129"
mitre = "T1203 T1204.002"
@@ -106,9 +98,7 @@ rule warning_embedded_flash {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Embedded Flash data"
mitre = "T1204.002"
@@ -137,9 +127,7 @@ rule exploit_cve_2011_0609 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit CVE-2011-0609"
mitre = "T1203 T1204.002"
@@ -162,9 +150,7 @@ rule exploit_cve_2011_0611 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit CVE-2011-061"
mitre = "T1203 T1204.002"
@@ -194,9 +180,7 @@ rule exploit_cve_2012_0754 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit malformed mp4 CVE-2012-0754"
mitre = "T1203 T1204.002"
@@ -216,10 +200,8 @@ rule exploit_cve_2010_3333 {
rank = 10
revision = "1"
date = "July 29 2015"
- release = "lite"
author = "@tylabs"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "RTF stack overflow pFragments CVE-2010-3333"
mitre = "T1203 T1204.002"
@@ -250,9 +232,7 @@ rule warning_rtf_embedded_file {
revision = "2"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_warning"
desc = "RTF embedded file package"
mitre = "T1027"
@@ -273,9 +253,7 @@ rule exploit_MS12_060_tomato_garden {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Office exploit MSCOMCTL.OCX Toolbar MS12-060 Tomato Garden campaign"
mitre = "T1203 T1204.002"
@@ -301,9 +279,7 @@ rule warning_office_encrypted_doc {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "office encrypted document"
mitre = "T1027"
@@ -323,9 +299,7 @@ rule warning_office_encrypted_doc {
revision = "1"
date = "Oct 10 2020"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "office obfuscated document 2003 XOR with VelvetSweatshop"
mitre = "T1027"
@@ -347,9 +321,7 @@ rule exploit_cve_2012_1535 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit CVE-2012-1535"
mitre = "T1203 T1204.002"
@@ -372,9 +344,7 @@ rule exploit_cve_2013_0634 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit CVE-2013-0634 memory corruption"
mitre = "T1203 T1204.002"
@@ -393,9 +363,7 @@ rule exploit_cve_2012_5054 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exploit CVE-2012-5054 Matrix3D"
mitre = "T1203 T1204.002"
@@ -419,9 +387,7 @@ rule exploit_cve_2012_1856 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Office exploit MSCOMCTL.OCX TabStrip CVE-2012-1856"
mitre = "T1203 T1204.002"
@@ -446,8 +412,6 @@ rule warning_mime_mso_embedded_flash {
date = "July 29 2015"
author = "@tylabs"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
- release = "lite"
sigtype = "cryptam_exploit"
desc = "office embedded Flash in MSO file"
mitre = "T1204.002"
@@ -468,9 +432,7 @@ rule exploit_cve_2012_0158 {
revision = "2"
date = "Sep 01 2020"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Office exploit MSCOMCTL.OCX RCE CVE-2012-0158"
mitre = "T1203 T1204.002"
@@ -515,9 +477,7 @@ rule warning_activex_exec {
revision = "3"
date = "Oct 11 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015, 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "ActiveX content"
mitre = "T1059"
@@ -556,8 +516,6 @@ rule warning_activex_exec {
date = "July 29 2015"
author = "@tylabs"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
- release = "lite"
sigtype = "cryptam_exploit"
desc = "office heap spray"
mitre = "T1059.005"
@@ -577,9 +535,7 @@ rule warning_activex_exec {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Office exploit TIFF CVE-2013-3906"
mitre = "T1203 T1204.002"
@@ -603,9 +559,7 @@ rule warning_activex_exec {
revision = "2"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Office package manager may load unsafe content such as shell scripts"
mitre = "T1027"
@@ -632,7 +586,6 @@ rule warning_ole2link_embedded {
date = "September 12 2017"
author = "David Cannings"
copyright = "source https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.md"
- tlp = "white"
sigtype = "cryptam_warning"
desc = "Office OLE2Link unsafe content such as remote risky content"
mitre = "T1027 T1204.002"
@@ -683,9 +636,7 @@ rule warning_ole2link_embedded {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "eicar test signature"
mitre = ""
@@ -708,9 +659,7 @@ rule warning_vb_macro {
revision = "2"
date = "Oct 5 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Visual Basic macro"
mitre = "T1059.005"
@@ -743,9 +692,7 @@ rule warning_js_embed {
revision = "1"
date = "Apr 12 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Embedded js"
mitre = "T1059.007"
@@ -767,9 +714,7 @@ rule warning_vbs_embed {
revision = "1"
date = "May 18 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Embedded vbs"
mitre = "T1059.005"
@@ -793,9 +738,7 @@ rule exploit_activex_execute_shell {
revision = "2"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Visual Basic execute shell"
mitre = "T1059.005 T1059.003"
@@ -826,9 +769,7 @@ rule warning_vb_autoopen {
revision = "3"
date = "Oct 9 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Visual Basic macro"
mitre = "T1059.005"
@@ -862,9 +803,7 @@ rule warning_vb_fileio {
revision = "2"
date = "July 29 2015"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Visual Basic file io"
mitre = "T1059.005"
@@ -908,9 +847,7 @@ rule exploit_cve_2014_1761 {
revision = "2"
date = "September 23 2016"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "RTF memory corruption listoverridecount CVE-2012-2539 CVE-2014-1761"
mitre = "T1203 T1204.002"
@@ -932,9 +869,7 @@ rule exploit_cve_2014_4114 {
revision = "1"
date = "July 29 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Office package manager executes .inf files CVE-2014-4114, CVE-2014-6352"
mitre = "T1203 T1204.002"
@@ -959,9 +894,7 @@ rule exploit_cve_2015_0097 {
revision = "1"
date = "July 31 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
ref = "https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-0097_exploi.html"
hashes = "8a1fd4182bea2cc5a33319769dbf501c"
@@ -985,9 +918,7 @@ rule exploit_cve_2015_1770 {
revision = "1"
date = "Aug 26 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Office exploit MSCOMCTL.OCX TabStrip CVE-2012-1856"
mitre = "T1203 T1204.002"
@@ -1015,9 +946,7 @@ rule exploit_cve_2015_1641 {
revision = "1"
date = "Aug 30 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "SmartTag element attribute parsing vulnerability CVE-2015-1641"
mitre = "T1203 T1204.002"
@@ -1041,9 +970,7 @@ rule exploit_cve_2015_2424 {
revision = "1"
date = "Sep 30 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Task Symbol buffer overflow CVE-2015-2424 CVE-2015-1642"
mitre = "T1203 T1204.002"
@@ -1074,9 +1001,7 @@ rule exploit_cve_2015_2545 {
revision = "1"
date = "Dec 19 2015"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "SmartTag element attribute parsing vulnerability CVE-2015-1641"
mitre = "T1203 T1204.002"
@@ -1099,9 +1024,7 @@ rule warning_cve_2016_0021 {
revision = "1"
date = "Apr 7 2016"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2016. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Memory corruption vuln access freed heap memory CVE-2016_0021"
mitre = "T1203 T1204.002"
@@ -1126,9 +1049,7 @@ rule exploit_cve_2016_4117 {
revision = "1"
date = "Oct 27 2016"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Flash type confusion vulnerability CVE-2016-4117"
mitre = "T1203 T1204.002"
@@ -1149,9 +1070,7 @@ rule exploit_lnk_execute_shell {
revision = "1"
date = "Dec 09 2016"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2016. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = ".lnk files execute code"
mitre = "T1203 T1204.002"
@@ -1176,9 +1095,7 @@ rule exploit_cve_2017_0199 {
revision = "1"
date = "Apr 11 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Packager remote htmlfile inclusion"
mitre = "T1203 T1204.002"
@@ -1257,9 +1174,7 @@ rule exploit_cve_2017_8570 {
revision = "2"
date = "Jan 30 2019"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Packager remote htmlfile inclusion"
link = "http://justhaifei1.blogspot.ca/2017/07/bypassing-microsofts-cve-2017-0199-patch.html"
@@ -1299,9 +1214,7 @@ rule exploit_cve_2017_0261 {
revision = "1"
date = "May 11 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "EPS reuse after free"
mitre = "T1203 T1204.002"
@@ -1324,9 +1237,7 @@ rule exploit_cve_2017_0262 {
revision = "1"
date = "May 11 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "EPS exploit type confusion"
mitre = "T1203 T1204.002"
@@ -1349,9 +1260,7 @@ rule warning_EPS_xor_exec {
revision = "2"
date = "Oct 13 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "EPS obfuscation using xor and exec"
mitre = "T1027"
@@ -1375,9 +1284,7 @@ rule exploit_cve_2016_7193 {
revision = "1"
date = "Jun 9 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "Track Changes ListNum length overflow"
mitre = "T1203 T1204.002"
@@ -1399,9 +1306,7 @@ rule warning_office_encrypted_dataspace {
revision = "1"
date = "June 9 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2015. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "office encrypted dataspace"
mitre = "T1027"
@@ -1428,9 +1333,7 @@ rule warning_flash_obfuscation {
revision = "1"
date = "June 9 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Flash exec from string"
mitre = "T1027"
@@ -1462,10 +1365,8 @@ rule warning_openxml_remote_smb
revision = "2"
date = "June 18 2017"
author = "@tylabs"
- release = "lite"
hash = "34a11f3d68fd6cdef04b6df17bbe8f4d"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "External file inclusion may leak smb credentials"
mitre = "T1187"
@@ -1488,10 +1389,8 @@ rule warning_SAXXMLReader
revision = "1"
date = "July 26 2020"
author = "@tylabs"
- release = "lite"
hash = "574c0c60df82b3d79937eaacddf83e3d"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "amber"
sigtype = "cryptam_exploit"
desc = "Msxml2.SAXXMLReader class used in exploit obfuscation"
mitre = "T1027"
@@ -1516,9 +1415,7 @@ rule exploit_cve_2017_8759 {
revision = "1"
date = "September 12 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
desc = "OLE WSDL Parser Code Injection in PrintClientProxy CVE-2017-8759"
mitre = "T1203 T1204.002"
@@ -1545,9 +1442,7 @@ rule warning_js_inzip {
revision = "1"
date = "Oct 9 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Embedded js"
mitre = "T1059.007"
@@ -1569,9 +1464,7 @@ rule warning_excel_dde_exec {
revision = "4"
date = "Nov 13 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "Embedded shell command"
mitre = "T1059.003"
@@ -1605,9 +1498,7 @@ rule warning_excel_dde_auto {
revision = "1"
date = "Oct 17 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "if present overrides warning message"
mitre = "T1059.003"
@@ -1629,9 +1520,7 @@ rule exploit_cve_2017_11826 {
revision = "2"
date = "Oct 12 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "red"
sigtype = "cryptam_exploit"
desc = "xml nested font tag confusion"
mitre = "T1203 T1204.002"
@@ -1654,9 +1543,7 @@ rule warning_rtf_objupdate {
revision = "1"
date = "Nov 20 2017"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "update RTF object may load malicious content"
mitre = "T1027"
@@ -1677,9 +1564,7 @@ rule exploit_CVE_2018_0798 {
revision = "2"
date = "Nov 20 2017"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "red"
sigtype = "cryptam_exploit"
desc = "Equation editor buffer overflow"
mitre = "T1203 T1204.002"
@@ -1703,9 +1588,7 @@ rule exploit_cve_2017_11882 {
revision = "3"
date = "Oct 16 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "red"
sigtype = "cryptam_exploit"
desc = "Equation editor buffer overflow"
mitre = "T1203 T1204.002"
@@ -1735,9 +1618,7 @@ rule warning_powershell_strings {
revision = "1"
date = "Feb 15 2018"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2017. All rights reserved."
- tlp = "red"
sigtype = "cryptam_exploit"
desc = "Powershell"
mitre = "T1059.001"
@@ -1762,9 +1643,7 @@ rule exploit_cve_2018_8174 {
revision = "1"
date = "May 17 2018"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2018. All rights reserved."
- tlp = "red"
sigtype = "cryptam_exploit"
desc = "Moniker exploit MSHTML COM CVE-2018-8174"
mitre = "T1203 T1204.002"
@@ -1785,7 +1664,6 @@ rule warning_xml_script {
date = "Jan 30 2019"
author = "@tylabs"
copyright = "tylabs.com 2019"
- tlp = "green"
mitre = "T1059.007"
strings:
$s1 = "script"
@@ -1804,10 +1682,8 @@ rule warning_openxml_remote_script
revision = "1"
date = "Feb 6 2019"
author = "@tylabs"
- release = "lite"
hash = "0f74d8a880c638a05ba959c0d5b2fec6"
copyright = "tylabs.com (c) Copyright 2019. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "External script inclusion"
mitre = "T1059.007"
@@ -1830,9 +1706,7 @@ rule warning_rtf_remote_template
revision = "3"
date = "Jul 13 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1221"
desc = "External template inclusion"
@@ -1855,9 +1729,7 @@ rule warning_rtf_unicode_template
revision = "1"
date = "Jul 13 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1221"
desc = "Obfuscated RTF template"
@@ -1881,9 +1753,7 @@ rule warning_openxml_remote_template
revision = "2"
date = "Sep 7 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1221"
desc = "External template inclusion"
@@ -1910,9 +1780,7 @@ rule warning_hwp_active_content
revision = "1"
date = "Jul 28 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.007"
desc = "JavaScript in HWP Document"
@@ -1934,9 +1802,7 @@ rule warning_postscript_exec {
revision = "1"
date = "Jul 28 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059"
desc = "Postscript exec"
@@ -1956,9 +1822,7 @@ rule warning_postscript_xor {
revision = "1"
date = "Jul 28 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1027"
desc = "Postscript xor could be used for obfuscation"
@@ -1979,9 +1843,7 @@ rule warning_postscript_nopsled {
revision = "1"
date = "Jul 28 2020"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1027"
desc = "Postscript buffer overflow"
@@ -2001,9 +1863,7 @@ rule exploit_cve_2017_11774 {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "CVE-2017-11774 Outlook attack"
mitre = "T1137"
@@ -2026,9 +1886,7 @@ rule warning_possible_guardrail {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "accessing userdnsdomain"
mitre = "T1480"
@@ -2049,9 +1907,7 @@ rule warning_possible_vbapurging {
revision = "1"
date = "Jul 4 2021"
author = "https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "macro source may have been removed"
mitre = "T1564.007"
@@ -2072,9 +1928,7 @@ rule warning_possible_vbapurged {
revision = "1"
date = "Jul 4 2021"
author = "https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html"
- release = "lite"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "white"
sigtype = "cryptam_exploit"
desc = "macro source removed with tool"
mitre = "T1564.007"
@@ -2097,9 +1951,7 @@ rule warning_excel_macro {
revision = "2"
date = "Jul 12 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro"
@@ -2120,9 +1972,7 @@ rule warning_excel_exec {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro execute"
@@ -2143,9 +1993,7 @@ rule warning_excel_register {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro register dll"
@@ -2166,9 +2014,7 @@ rule warning_excel_formula_mod {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro register dll"
@@ -2189,9 +2035,7 @@ rule warning_excel_auto_open {
revision = "1"
date = "Jul 4 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro Auto_Open"
@@ -2213,9 +2057,7 @@ rule warning_excel_download {
revision = "1"
date = "Jul 12 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1204.002"
desc = "Excel 4.0 macro Auto_Open"
@@ -2239,9 +2081,7 @@ rule warning_macrosheet_ip
revision = "1"
date = "Jul 12 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2020. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1204.002"
desc = "IP Address in a Macrosheet"
@@ -2264,9 +2104,7 @@ rule warning_excel_run {
revision = "1"
date = "Jul 12 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro execute"
@@ -2288,9 +2126,7 @@ rule warning_excel_sheet_formula {
revision = "1"
date = "Jul 12 2021"
author = "@tylabs"
- release = "full"
copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
- tlp = "green"
sigtype = "cryptam_exploit"
mitre = "T1059.005"
desc = "Excel 4.0 macro execute"
@@ -2302,3 +2138,50 @@ rule warning_excel_sheet_formula {
all of them
}
+
+rule exploit_cve_2021_40444
+{
+ meta:
+ is_exploit = true
+ is_warning = false
+ is_feature = false
+ rank = 10
+ revision = "3"
+ date = "Sep 8 2021"
+ desc = "CVE-2021-40444 external mhtml inclusion"
+ author = "@tylabs"
+ mitre = "T1203 T1204.002"
+ copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
+
+ strings:
+ $a = "schemas.openxmlformats.org" ascii nocase
+ $b = "TargetMode=\"External\"" ascii nocase
+ $c = "Target=\"mhtml:http" ascii nocase
+ $d = "mhtml:http" ascii nocase
+ $e = "mhtml:file" ascii nocase
+
+ condition:
+ 3 of them
+}
+
+rule warning_suspicious_mhtml_http
+{
+ meta:
+ is_exploit = false
+ is_warning = true
+ is_feature = false
+ rank = 1
+ revision = "3"
+ date = "Sep 8 2021"
+ desc = "mhtml link or inclusion"
+ author = "@tylabs"
+ mitre = ""
+ copyright = "tylabs.com (c) Copyright 2021. All rights reserved."
+
+ strings:
+ $a = "mhtml:http:" ascii nocase
+ $b = "mhtml:https:" ascii nocase
+ $c = "mhtml:file:" ascii nocase
+ condition:
+ any of them
+}
diff --git a/src/quicksand/quicksand_pdf.yara b/src/quicksand/quicksand_pdf.yara
index 1b0f40b..43b69f4 100644
--- a/src/quicksand/quicksand_pdf.yara
+++ b/src/quicksand/quicksand_pdf.yara
@@ -10,8 +10,6 @@ rule shellcode_hash__CloseHandle {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash CloseHandle"
@@ -33,8 +31,6 @@ rule shellcode_hash__CreateFileA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash CreateFileA"
@@ -56,8 +52,6 @@ rule shellcode_hash__CreateProcessA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash CreateProcessA"
@@ -80,8 +74,6 @@ rule shellcode_hash__DeleteFileA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash DeleteFileA"
@@ -104,8 +96,6 @@ rule shellcode_hash__ExitProcess {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash ExitProcess"
@@ -128,8 +118,6 @@ rule shellcode_hash__ExitThread {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash ExitThread"
@@ -152,8 +140,6 @@ rule shellcode_hash__GetProcAddress {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash GetProcAddress"
@@ -176,8 +162,6 @@ rule shellcode_hash__GetSystemDirectoryA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash GetSystemDirectoryA"
@@ -200,8 +184,6 @@ rule shellcode_hash___hwrite {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash _hwrite"
@@ -224,8 +206,6 @@ rule shellcode_hash___lclose {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash _lclose"
@@ -248,8 +228,6 @@ rule shellcode_hash___lcreat {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash _lcreat"
@@ -272,8 +250,6 @@ rule shellcode_hash__LoadLibraryA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash LoadLibraryA"
@@ -296,8 +272,6 @@ rule shellcode_hash___lwrite {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash _lwrite"
@@ -320,8 +294,6 @@ rule shellcode_hash__SetUnhandledExceptionFilter {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash SetUnhandledExceptionFilter"
@@ -344,8 +316,6 @@ rule shellcode_hash__WaitForSingleObject {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash WaitForSingleObject"
@@ -368,8 +338,6 @@ rule shellcode_hash__WinExec {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash WinExec"
@@ -392,8 +360,6 @@ rule shellcode_hash__WriteFile {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash WriteFile"
@@ -416,8 +382,6 @@ rule shellcode_hash__accept {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash accept"
@@ -440,8 +404,6 @@ rule shellcode_hash__bind {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash bind"
@@ -464,8 +426,6 @@ rule shellcode_hash__closesocket {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash closesocket"
@@ -488,8 +448,6 @@ rule shellcode_hash__connect {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash connect"
@@ -512,8 +470,6 @@ rule shellcode_hash__listen {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash listen"
@@ -536,8 +492,6 @@ rule shellcode_hash__recv {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash recv"
@@ -560,8 +514,6 @@ rule shellcode_hash__send {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash send"
@@ -584,8 +536,6 @@ rule shellcode_hash__socket {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash socket"
@@ -608,8 +558,6 @@ rule shellcode_hash__WSASocketA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash WSASocketA"
@@ -632,8 +580,6 @@ rule shellcode_hash__WSAStartup {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash WSAStartup"
@@ -656,8 +602,6 @@ rule shellcode_hash__URLDownloadToFileA {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "shellcode.hash URLDownloadToFileA"
@@ -680,8 +624,6 @@ rule suspicious_shellcode_NOP_Sled {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_shellcode"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.shellcode NOP Sled"
@@ -704,8 +646,6 @@ rule suspicious_obfuscation_using_unescape {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using unescape"
@@ -733,8 +673,6 @@ rule suspicious_obfuscation_using_charCodeAt {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using charCodeAt"
@@ -755,8 +693,6 @@ rule suspicious_string_nopblock {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string nopblock"
@@ -777,8 +713,6 @@ rule suspicious_obfuscation_using_eval {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using eval"
@@ -805,8 +739,6 @@ rule suspicious_javascript_object {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.javascript object"
@@ -828,8 +760,6 @@ rule suspicious_javascript_in_XFA_block {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.javascript in XFA block"
@@ -852,8 +782,6 @@ rule suspicious_pdf_embedded_PDF_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.pdf embedded PDF file"
@@ -873,8 +801,6 @@ rule suspicious_obfuscation_toString {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation toString"
@@ -895,8 +821,6 @@ rule suspicious_obfuscation_using_substr {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using substr"
@@ -917,8 +841,6 @@ rule suspicious_obfuscation_using_String_replace {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using String.replace"
@@ -940,8 +862,6 @@ rule suspicious_obfuscation_using_String_fromCharCode {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using String.fromCharCode"
@@ -965,8 +885,6 @@ rule suspicious_obfuscation_using_substring {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using substring"
@@ -987,8 +905,6 @@ rule suspicious_obfuscation_using_util_byteToChar {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using util.byteToChar"
@@ -1008,8 +924,6 @@ rule suspicious_string_Shellcode_NOP_sled {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string Shellcode NOP sled"
@@ -1030,8 +944,6 @@ rule suspicious_string_heap_spray_shellcode {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string heap spray shellcode"
@@ -1052,8 +964,6 @@ rule suspicious_string_shellcode {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string shellcode"
@@ -1074,8 +984,6 @@ rule suspicious_string__Run_Sploit_ {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string -Run_Sploit-"
@@ -1096,8 +1004,6 @@ rule suspicious_string__HeapSpray_ {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string -HeapSpray-"
@@ -1118,8 +1024,6 @@ rule suspicious_flash_writeMultiByte {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash writeMultiByte"
@@ -1140,8 +1044,6 @@ rule suspicious_flash_addFrameScript {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash addFrameScript"
@@ -1162,8 +1064,6 @@ rule suspicious_flash_Adobe_Shockwave_Flash_in_a_PDF_define_obj_type {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash Adobe Shockwave Flash in a PDF define obj type"
@@ -1182,8 +1082,6 @@ rule suspicious_flash_obfuscated_name {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash obfuscated name"
@@ -1203,8 +1101,6 @@ rule pdf_exploit_FlateDecode_Stream_Predictor_02_Integer_Overflow_CVE_2009_3459
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit FlateDecode Stream Predictor 02 Integer Overflow CVE-2009-3459"
@@ -1225,8 +1121,6 @@ rule pdf_exploit_colors_number_is_high_CVE_2009_3459 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit colors number is high CVE-2009-3459"
@@ -1247,8 +1141,6 @@ rule pdf_exploit_URI_directory_traversal {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit URI directory traversal"
@@ -1269,8 +1161,6 @@ rule pdf_exploit_URI_directory_traversal_system32 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit URI directory traversal system32"
@@ -1291,8 +1181,6 @@ rule pdf_exploit_execute_EXE_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit execute EXE file"
@@ -1313,8 +1201,6 @@ rule pdf_warning_openaction {
revision = "1"
date = "July 14 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.warning OpenAction"
@@ -1335,8 +1221,6 @@ rule pdf_exploit_access_system32_directory {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit access system32 directory"
@@ -1358,8 +1242,6 @@ rule pdf_warning_remote_action {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_active"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit action uri"
@@ -1384,8 +1266,6 @@ rule pdf_exploit_execute_action_command {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit execute action command"
@@ -1406,8 +1286,6 @@ rule pdf_exploit_printSeps_memory_heap_corruption_CVE_2010_4091 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit printSeps memory heap corruption CVE-2010-4091"
@@ -1428,8 +1306,6 @@ rule suspicious_obfuscation_jjencoded_javascript {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation jjencoded javascript"
@@ -1450,8 +1326,6 @@ rule suspicious_obfuscation_getAnnots_access_blocks {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation getAnnots access blocks"
@@ -1475,8 +1349,6 @@ rule suspicious_obfuscation_info_Trailer_to_access_blocks {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation info.Trailer to access blocks"
@@ -1497,8 +1369,6 @@ rule suspicious_obfuscation_using_app_setTimeOut_to_eval_code {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.obfuscation using app.setTimeOut to eval code"
@@ -1519,8 +1389,6 @@ rule suspicious_string__shellcode_ {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string -shellcode-"
@@ -1540,8 +1408,6 @@ rule pdf_exploit_Collab_collectEmailInfo_CVE_2008_0655 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit Collab.collectEmailInfo CVE-2008-0655"
@@ -1563,8 +1429,6 @@ rule pdf_exploit_Collab_getIcon_CVE_2009_0927 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit Collab.getIcon CVE-2009-0927"
@@ -1586,8 +1450,6 @@ rule pdf_suspicious_util_printd_used_to_fill_buffers {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.suspicious util.printd used to fill buffers"
@@ -1607,8 +1469,6 @@ rule pdf_exploit_media_newPlayer_CVE_2009_4324 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit media.newPlayer CVE-2009-4324"
@@ -1633,8 +1493,6 @@ rule pdf_exploit_spell_customDictionaryOpen_CVE_2009_1493 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit spell.customDictionaryOpen CVE-2009-1493"
@@ -1655,8 +1513,6 @@ rule pdf_exploit_util_printf_CVE_2008_2992 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit util.printf CVE-2008-2992"
@@ -1676,8 +1532,6 @@ rule pdf_exploit_using_TIFF_overflow_CVE_2010_0188 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit using TIFF overflow CVE-2010-0188"
@@ -1698,8 +1552,6 @@ rule suspicious_string_TIFF_overflow_exploit_tif_name_CVE_2010_0188 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string TIFF overflow exploit.tif name CVE-2010-0188"
@@ -1719,8 +1571,6 @@ rule suspicious_string_base_64_nop_sled_used_in_TIFF_overflow_CVE_2010_0188 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string base 64 nop sled used in TIFF overflow CVE-2010-0188"
@@ -1744,8 +1594,6 @@ rule pdf_exploit_TIFF_overflow_CVE_2010_0188 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit TIFF overflow CVE-2010-0188"
@@ -1767,8 +1615,6 @@ rule pdf_execute_access_system32_directory {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.execute access system32 directory"
@@ -1788,8 +1634,6 @@ rule suspicious_string_obfuscated_unicode_NOP_sled {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.string obfuscated unicode NOP sled"
@@ -1809,8 +1653,6 @@ rule suspicious_flash_Embedded_Flash {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash Embedded Flash"
@@ -1836,8 +1678,6 @@ rule suspicious_flash_Embedded_Flash_define_obj {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.flash Embedded Flash define obj"
@@ -1858,8 +1698,6 @@ rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_generic {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 generic"
@@ -1880,8 +1718,6 @@ rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_A {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 A"
@@ -1901,8 +1737,6 @@ rule flash_exploit_CVE_2011_0609 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.exploit CVE-2011-0609"
@@ -1924,8 +1758,6 @@ rule flash_exploit_CVE_2011_0611 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.exploit CVE-2011-0611"
@@ -1951,8 +1783,6 @@ rule flash_suspicious_jit_spray {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.suspicious jit_spray"
@@ -1972,8 +1802,6 @@ rule pdf_exploit_U3D_CVE_2011_2462_A {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit U3D CVE-2011-2462 A"
@@ -1993,8 +1821,6 @@ rule pdf_exploit_PRC_CVE_2011_4369_A {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit PRC CVE-2011-4369 A"
@@ -2014,8 +1840,6 @@ rule flash_exploit_flash_calling_malformed_MP4_CVE_2012_0754 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.exploit flash calling malformed MP4 CVE-2012-0754"
@@ -2035,8 +1859,6 @@ rule flash_exploit_MP4_Loader_CVE_2012_0754_B {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.exploit MP4 Loader CVE-2012-0754 B"
@@ -2056,8 +1878,6 @@ rule flash_exploit_MP4_CVE_2012_0754 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "flash.exploit MP4 CVE-2012-0754"
@@ -2077,8 +1897,6 @@ rule pdf_exploit_Sandbox_Bypass_CVE_2013_0641 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit Sandbox Bypass CVE-2013-0641"
@@ -2098,8 +1916,6 @@ rule pdf_exploit_BMP_RLE_integer_heap_overflow_CVE_2013_2729 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit BMP RLE integer heap overflow CVE-2013-2729"
@@ -2120,8 +1936,6 @@ rule pdf_exploit_ToolButton_use_after_free_CVE_2014_0496 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit ToolButton use-after-free CVE-2014-0496"
@@ -2142,8 +1956,6 @@ rule suspicious_javascript_addToolButton {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.javascript addToolButton"
@@ -2163,8 +1975,6 @@ rule suspicious_embedded_doc_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded doc file"
@@ -2184,8 +1994,6 @@ rule suspicious_embedded_xls_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded xls file"
@@ -2206,8 +2014,6 @@ rule suspicious_embedded_ppt_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded ppt file"
@@ -2229,8 +2035,6 @@ rule suspicious_embedded_scr_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded scr file"
@@ -2251,8 +2055,6 @@ rule suspicious_embedded_exe_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded exe file"
@@ -2273,8 +2075,6 @@ rule suspicious_embedded_bat_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded bat file"
@@ -2295,8 +2095,6 @@ rule suspicious_embedded_rtf_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded rtf file"
@@ -2317,8 +2115,6 @@ rule suspicious_embedded_mso_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded mso file"
@@ -2339,8 +2135,6 @@ rule suspicious_embedded_html_file {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded html file"
@@ -2361,8 +2155,6 @@ rule suspicious_embedded_OLE_document_header {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded OLE document header"
@@ -2383,8 +2175,6 @@ rule suspicious_embedded_external_content {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "suspicious.embedded external content"
@@ -2404,8 +2194,6 @@ rule pdf_exploit_Corrupted_JPEG2000_CVE_2018_4990 {
revision = "1"
date = "June 07 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit Corrupted JPEG2000 CVE-2018-4990"
@@ -2425,8 +2213,6 @@ rule pdf_exploit_using_jbig2decode_CVE_2009_0658 {
revision = "1"
date = "July 20 2020"
author = "@tylabs"
- release = "full"
- tlp = "amber"
sigtype = "pdfexaminer_obfuscation"
copyright = "Copyright 2020 tylabs.com. All rights reserved."
desc = "pdf.exploit using JBIG2Decode CVE-2009-0658"