From 90fabf8b91bf3be6e14ad30fd961c44d7e757546 Mon Sep 17 00:00:00 2001 From: tylabs Date: Wed, 8 Sep 2021 22:05:25 -0400 Subject: [PATCH] 2.0.13 --- setup.py | 4 +- src/quicksand/quicksand_exe.yara | 29 ++-- src/quicksand/quicksand_exploits.yara | 211 ++++++------------------- src/quicksand/quicksand_pdf.yara | 214 -------------------------- 4 files changed, 58 insertions(+), 400 deletions(-) diff --git a/setup.py b/setup.py index a769e9f..50dcf65 100644 --- a/setup.py +++ b/setup.py @@ -5,14 +5,14 @@ setuptools.setup( name="quicksand", - version="2.0.12", + version="2.0.13", author="Tyler McLellan", author_email="nospam@tylabs.com", description="QuickSand is a module to scan streams inside documents with Yara", long_description=long_description, long_description_content_type="text/markdown", url="https://github.com/tylabs/quicksand", - download_url="https://github.com/tylabs/quicksand/archive/refs/tags/2.0.12.tar.gz", + download_url="https://github.com/tylabs/quicksand/archive/refs/tags/2.0.13.tar.gz", include_package_data=True, keywords = ['document', 'malware', 'forensics', 'yara', 'parser'], project_urls={ diff --git a/src/quicksand/quicksand_exe.yara b/src/quicksand/quicksand_exe.yara index d39574e..4d31305 100644 --- a/src/quicksand/quicksand_exe.yara +++ b/src/quicksand/quicksand_exe.yara @@ -10,8 +10,7 @@ rule executable_win_pe { date = "Dec 27 2015" author = "@tylabs" desc = "MZ Header" - copyright = "QuickSand.io 2015" - tlp = "green" + copyright = "tylabs.com 2015" mitre = "T1027" strings: @@ -30,9 +29,7 @@ rule executable_win_pe_transposed { author = "@tylabs" desc = "MZ Transposed" mitre = "T1027" - - copyright = "QuickSand.io 2015" - tlp = "green" + copyright = "tylabs.com 2015" strings: $s1 = /ZM.{76}hTsip orrgma/ @@ -50,9 +47,7 @@ rule executable_win_pe_transposed_offbyone { date = "Dec 27 2015" author = "@tylabs" desc = "MZ transposed and shifted" - - copyright = "QuickSand.io 2015" - tlp = "green" + copyright = "tylabs.com 2015" mitre = "T1027" strings: @@ -71,10 +66,9 @@ rule executable_win { rank = 10 date = "July 29 2015" author = "@tylabs" - copyright = "QuickSand.io 2015" + copyright = "tylabs.com 2015" desc = "EXE strings" mitre = "T1027" - tlp = "green" strings: $s1 = "This program cannot be run in DOS mode" @@ -120,8 +114,7 @@ rule executable_win_transposed { date = "July 29 2015" desc = "Transposition cipher" author = "@tylabs" - copyright = "QuickSand.io 2015" - tlp = "green" + copyright = "tylabs.com 2015" mitre = "T1027" strings: @@ -139,9 +132,8 @@ rule executable_win_rtl { date = "July 29 2015" desc = "Right to Left compression LZNT1" author = "@tylabs" - copyright = "QuickSand.io 2015" + copyright = "tylabs.com 2015" mitre = "T1027" - tlp = "green" strings: $s1 = {2070726F6772616D002063616E6E6F74200062652072756E2069006E20444F53206D6F} // string.RTL.This program cannot be run in DOS mode condition: @@ -157,9 +149,8 @@ rule executable_win_reversed { date = "July 29 2015" desc = "EXE is stored backwards" author = "@tylabs" - copyright = "QuickSand.io 2015" + copyright = "tylabs.com 2015" mitre = "T1027" - tlp = "green" strings: $s1 = "edom SOD ni nur eb tonnac margorp sihT" // string.reverse This program cannot be run in DOS mode condition: condition: @@ -176,11 +167,10 @@ rule executable_vb { type = "vb" date = "July 29 2015" author = "@tylabs" - copyright = "QuickSand.io 2015" + copyright = "tylabs.com 2015" desc = "VB script" mitre = "T1059.005" - tlp = "green" strings: $s1 = "impersonationLevel=impersonate" $s2 = "On Error Resume Next" @@ -199,12 +189,11 @@ rule executable_macosx { rank = 10 date = "July 29 2015" author = "@tylabs" - copyright = "QuickSand.io 2015" + copyright = "tylabs.com 2015" desc = "Mac executable" mitre = "T1027" - tlp = "green" strings: $s1 = "RunAtLoad" $s2 = "__mh_execute_header" diff --git a/src/quicksand/quicksand_exploits.yara b/src/quicksand/quicksand_exploits.yara index bb79b43..d33132c 100644 --- a/src/quicksand/quicksand_exploits.yara +++ b/src/quicksand/quicksand_exploits.yara @@ -10,9 +10,7 @@ rule warning_exec_ocx_object { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "OLE application command" mitre = "T1204.002" @@ -34,9 +32,7 @@ rule warning_scriptbridge { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "ScriptBridge may load remote exploit" mitre = "T1204.002" @@ -59,9 +55,7 @@ rule exploit_cve_2006_2492 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "smarttag overflow CVE-2006-2492" mitre = "T1203 T1204.002" @@ -83,9 +77,7 @@ rule exploit_cve_2009_3129 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "excel buffer overflow CVE-2009-3129" mitre = "T1203 T1204.002" @@ -106,9 +98,7 @@ rule warning_embedded_flash { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Embedded Flash data" mitre = "T1204.002" @@ -137,9 +127,7 @@ rule exploit_cve_2011_0609 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit CVE-2011-0609" mitre = "T1203 T1204.002" @@ -162,9 +150,7 @@ rule exploit_cve_2011_0611 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit CVE-2011-061" mitre = "T1203 T1204.002" @@ -194,9 +180,7 @@ rule exploit_cve_2012_0754 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit malformed mp4 CVE-2012-0754" mitre = "T1203 T1204.002" @@ -216,10 +200,8 @@ rule exploit_cve_2010_3333 { rank = 10 revision = "1" date = "July 29 2015" - release = "lite" author = "@tylabs" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "RTF stack overflow pFragments CVE-2010-3333" mitre = "T1203 T1204.002" @@ -250,9 +232,7 @@ rule warning_rtf_embedded_file { revision = "2" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_warning" desc = "RTF embedded file package" mitre = "T1027" @@ -273,9 +253,7 @@ rule exploit_MS12_060_tomato_garden { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Office exploit MSCOMCTL.OCX Toolbar MS12-060 Tomato Garden campaign" mitre = "T1203 T1204.002" @@ -301,9 +279,7 @@ rule warning_office_encrypted_doc { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "office encrypted document" mitre = "T1027" @@ -323,9 +299,7 @@ rule warning_office_encrypted_doc { revision = "1" date = "Oct 10 2020" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "office obfuscated document 2003 XOR with VelvetSweatshop" mitre = "T1027" @@ -347,9 +321,7 @@ rule exploit_cve_2012_1535 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit CVE-2012-1535" mitre = "T1203 T1204.002" @@ -372,9 +344,7 @@ rule exploit_cve_2013_0634 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit CVE-2013-0634 memory corruption" mitre = "T1203 T1204.002" @@ -393,9 +363,7 @@ rule exploit_cve_2012_5054 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exploit CVE-2012-5054 Matrix3D" mitre = "T1203 T1204.002" @@ -419,9 +387,7 @@ rule exploit_cve_2012_1856 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Office exploit MSCOMCTL.OCX TabStrip CVE-2012-1856" mitre = "T1203 T1204.002" @@ -446,8 +412,6 @@ rule warning_mime_mso_embedded_flash { date = "July 29 2015" author = "@tylabs" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" - release = "lite" sigtype = "cryptam_exploit" desc = "office embedded Flash in MSO file" mitre = "T1204.002" @@ -468,9 +432,7 @@ rule exploit_cve_2012_0158 { revision = "2" date = "Sep 01 2020" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Office exploit MSCOMCTL.OCX RCE CVE-2012-0158" mitre = "T1203 T1204.002" @@ -515,9 +477,7 @@ rule warning_activex_exec { revision = "3" date = "Oct 11 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015, 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "ActiveX content" mitre = "T1059" @@ -556,8 +516,6 @@ rule warning_activex_exec { date = "July 29 2015" author = "@tylabs" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" - release = "lite" sigtype = "cryptam_exploit" desc = "office heap spray" mitre = "T1059.005" @@ -577,9 +535,7 @@ rule warning_activex_exec { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Office exploit TIFF CVE-2013-3906" mitre = "T1203 T1204.002" @@ -603,9 +559,7 @@ rule warning_activex_exec { revision = "2" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Office package manager may load unsafe content such as shell scripts" mitre = "T1027" @@ -632,7 +586,6 @@ rule warning_ole2link_embedded { date = "September 12 2017" author = "David Cannings" copyright = "source https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.md" - tlp = "white" sigtype = "cryptam_warning" desc = "Office OLE2Link unsafe content such as remote risky content" mitre = "T1027 T1204.002" @@ -683,9 +636,7 @@ rule warning_ole2link_embedded { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "eicar test signature" mitre = "" @@ -708,9 +659,7 @@ rule warning_vb_macro { revision = "2" date = "Oct 5 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Visual Basic macro" mitre = "T1059.005" @@ -743,9 +692,7 @@ rule warning_js_embed { revision = "1" date = "Apr 12 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Embedded js" mitre = "T1059.007" @@ -767,9 +714,7 @@ rule warning_vbs_embed { revision = "1" date = "May 18 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Embedded vbs" mitre = "T1059.005" @@ -793,9 +738,7 @@ rule exploit_activex_execute_shell { revision = "2" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Visual Basic execute shell" mitre = "T1059.005 T1059.003" @@ -826,9 +769,7 @@ rule warning_vb_autoopen { revision = "3" date = "Oct 9 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Visual Basic macro" mitre = "T1059.005" @@ -862,9 +803,7 @@ rule warning_vb_fileio { revision = "2" date = "July 29 2015" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Visual Basic file io" mitre = "T1059.005" @@ -908,9 +847,7 @@ rule exploit_cve_2014_1761 { revision = "2" date = "September 23 2016" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "RTF memory corruption listoverridecount CVE-2012-2539 CVE-2014-1761" mitre = "T1203 T1204.002" @@ -932,9 +869,7 @@ rule exploit_cve_2014_4114 { revision = "1" date = "July 29 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Office package manager executes .inf files CVE-2014-4114, CVE-2014-6352" mitre = "T1203 T1204.002" @@ -959,9 +894,7 @@ rule exploit_cve_2015_0097 { revision = "1" date = "July 31 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" ref = "https://www.fireeye.com/blog/threat-research/2015/07/cve-2015-0097_exploi.html" hashes = "8a1fd4182bea2cc5a33319769dbf501c" @@ -985,9 +918,7 @@ rule exploit_cve_2015_1770 { revision = "1" date = "Aug 26 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Office exploit MSCOMCTL.OCX TabStrip CVE-2012-1856" mitre = "T1203 T1204.002" @@ -1015,9 +946,7 @@ rule exploit_cve_2015_1641 { revision = "1" date = "Aug 30 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "SmartTag element attribute parsing vulnerability CVE-2015-1641" mitre = "T1203 T1204.002" @@ -1041,9 +970,7 @@ rule exploit_cve_2015_2424 { revision = "1" date = "Sep 30 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Task Symbol buffer overflow CVE-2015-2424 CVE-2015-1642" mitre = "T1203 T1204.002" @@ -1074,9 +1001,7 @@ rule exploit_cve_2015_2545 { revision = "1" date = "Dec 19 2015" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "SmartTag element attribute parsing vulnerability CVE-2015-1641" mitre = "T1203 T1204.002" @@ -1099,9 +1024,7 @@ rule warning_cve_2016_0021 { revision = "1" date = "Apr 7 2016" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2016. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Memory corruption vuln access freed heap memory CVE-2016_0021" mitre = "T1203 T1204.002" @@ -1126,9 +1049,7 @@ rule exploit_cve_2016_4117 { revision = "1" date = "Oct 27 2016" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Flash type confusion vulnerability CVE-2016-4117" mitre = "T1203 T1204.002" @@ -1149,9 +1070,7 @@ rule exploit_lnk_execute_shell { revision = "1" date = "Dec 09 2016" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2016. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = ".lnk files execute code" mitre = "T1203 T1204.002" @@ -1176,9 +1095,7 @@ rule exploit_cve_2017_0199 { revision = "1" date = "Apr 11 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Packager remote htmlfile inclusion" mitre = "T1203 T1204.002" @@ -1257,9 +1174,7 @@ rule exploit_cve_2017_8570 { revision = "2" date = "Jan 30 2019" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Packager remote htmlfile inclusion" link = "http://justhaifei1.blogspot.ca/2017/07/bypassing-microsofts-cve-2017-0199-patch.html" @@ -1299,9 +1214,7 @@ rule exploit_cve_2017_0261 { revision = "1" date = "May 11 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "EPS reuse after free" mitre = "T1203 T1204.002" @@ -1324,9 +1237,7 @@ rule exploit_cve_2017_0262 { revision = "1" date = "May 11 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "EPS exploit type confusion" mitre = "T1203 T1204.002" @@ -1349,9 +1260,7 @@ rule warning_EPS_xor_exec { revision = "2" date = "Oct 13 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "EPS obfuscation using xor and exec" mitre = "T1027" @@ -1375,9 +1284,7 @@ rule exploit_cve_2016_7193 { revision = "1" date = "Jun 9 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "Track Changes ListNum length overflow" mitre = "T1203 T1204.002" @@ -1399,9 +1306,7 @@ rule warning_office_encrypted_dataspace { revision = "1" date = "June 9 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2015. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "office encrypted dataspace" mitre = "T1027" @@ -1428,9 +1333,7 @@ rule warning_flash_obfuscation { revision = "1" date = "June 9 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Flash exec from string" mitre = "T1027" @@ -1462,10 +1365,8 @@ rule warning_openxml_remote_smb revision = "2" date = "June 18 2017" author = "@tylabs" - release = "lite" hash = "34a11f3d68fd6cdef04b6df17bbe8f4d" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "External file inclusion may leak smb credentials" mitre = "T1187" @@ -1488,10 +1389,8 @@ rule warning_SAXXMLReader revision = "1" date = "July 26 2020" author = "@tylabs" - release = "lite" hash = "574c0c60df82b3d79937eaacddf83e3d" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "amber" sigtype = "cryptam_exploit" desc = "Msxml2.SAXXMLReader class used in exploit obfuscation" mitre = "T1027" @@ -1516,9 +1415,7 @@ rule exploit_cve_2017_8759 { revision = "1" date = "September 12 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" desc = "OLE WSDL Parser Code Injection in PrintClientProxy CVE-2017-8759" mitre = "T1203 T1204.002" @@ -1545,9 +1442,7 @@ rule warning_js_inzip { revision = "1" date = "Oct 9 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Embedded js" mitre = "T1059.007" @@ -1569,9 +1464,7 @@ rule warning_excel_dde_exec { revision = "4" date = "Nov 13 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "Embedded shell command" mitre = "T1059.003" @@ -1605,9 +1498,7 @@ rule warning_excel_dde_auto { revision = "1" date = "Oct 17 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "if present overrides warning message" mitre = "T1059.003" @@ -1629,9 +1520,7 @@ rule exploit_cve_2017_11826 { revision = "2" date = "Oct 12 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "red" sigtype = "cryptam_exploit" desc = "xml nested font tag confusion" mitre = "T1203 T1204.002" @@ -1654,9 +1543,7 @@ rule warning_rtf_objupdate { revision = "1" date = "Nov 20 2017" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "update RTF object may load malicious content" mitre = "T1027" @@ -1677,9 +1564,7 @@ rule exploit_CVE_2018_0798 { revision = "2" date = "Nov 20 2017" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "red" sigtype = "cryptam_exploit" desc = "Equation editor buffer overflow" mitre = "T1203 T1204.002" @@ -1703,9 +1588,7 @@ rule exploit_cve_2017_11882 { revision = "3" date = "Oct 16 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "red" sigtype = "cryptam_exploit" desc = "Equation editor buffer overflow" mitre = "T1203 T1204.002" @@ -1735,9 +1618,7 @@ rule warning_powershell_strings { revision = "1" date = "Feb 15 2018" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2017. All rights reserved." - tlp = "red" sigtype = "cryptam_exploit" desc = "Powershell" mitre = "T1059.001" @@ -1762,9 +1643,7 @@ rule exploit_cve_2018_8174 { revision = "1" date = "May 17 2018" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2018. All rights reserved." - tlp = "red" sigtype = "cryptam_exploit" desc = "Moniker exploit MSHTML COM CVE-2018-8174" mitre = "T1203 T1204.002" @@ -1785,7 +1664,6 @@ rule warning_xml_script { date = "Jan 30 2019" author = "@tylabs" copyright = "tylabs.com 2019" - tlp = "green" mitre = "T1059.007" strings: $s1 = "script" @@ -1804,10 +1682,8 @@ rule warning_openxml_remote_script revision = "1" date = "Feb 6 2019" author = "@tylabs" - release = "lite" hash = "0f74d8a880c638a05ba959c0d5b2fec6" copyright = "tylabs.com (c) Copyright 2019. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "External script inclusion" mitre = "T1059.007" @@ -1830,9 +1706,7 @@ rule warning_rtf_remote_template revision = "3" date = "Jul 13 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1221" desc = "External template inclusion" @@ -1855,9 +1729,7 @@ rule warning_rtf_unicode_template revision = "1" date = "Jul 13 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1221" desc = "Obfuscated RTF template" @@ -1881,9 +1753,7 @@ rule warning_openxml_remote_template revision = "2" date = "Sep 7 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1221" desc = "External template inclusion" @@ -1910,9 +1780,7 @@ rule warning_hwp_active_content revision = "1" date = "Jul 28 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.007" desc = "JavaScript in HWP Document" @@ -1934,9 +1802,7 @@ rule warning_postscript_exec { revision = "1" date = "Jul 28 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059" desc = "Postscript exec" @@ -1956,9 +1822,7 @@ rule warning_postscript_xor { revision = "1" date = "Jul 28 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1027" desc = "Postscript xor could be used for obfuscation" @@ -1979,9 +1843,7 @@ rule warning_postscript_nopsled { revision = "1" date = "Jul 28 2020" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1027" desc = "Postscript buffer overflow" @@ -2001,9 +1863,7 @@ rule exploit_cve_2017_11774 { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "CVE-2017-11774 Outlook attack" mitre = "T1137" @@ -2026,9 +1886,7 @@ rule warning_possible_guardrail { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "lite" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "accessing userdnsdomain" mitre = "T1480" @@ -2049,9 +1907,7 @@ rule warning_possible_vbapurging { revision = "1" date = "Jul 4 2021" author = "https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html" - release = "lite" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "macro source may have been removed" mitre = "T1564.007" @@ -2072,9 +1928,7 @@ rule warning_possible_vbapurged { revision = "1" date = "Jul 4 2021" author = "https://www.fireeye.com/blog/threat-research/2020/11/purgalicious-vba-macro-obfuscation-with-vba-purging.html" - release = "lite" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "white" sigtype = "cryptam_exploit" desc = "macro source removed with tool" mitre = "T1564.007" @@ -2097,9 +1951,7 @@ rule warning_excel_macro { revision = "2" date = "Jul 12 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro" @@ -2120,9 +1972,7 @@ rule warning_excel_exec { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro execute" @@ -2143,9 +1993,7 @@ rule warning_excel_register { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro register dll" @@ -2166,9 +2014,7 @@ rule warning_excel_formula_mod { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro register dll" @@ -2189,9 +2035,7 @@ rule warning_excel_auto_open { revision = "1" date = "Jul 4 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro Auto_Open" @@ -2213,9 +2057,7 @@ rule warning_excel_download { revision = "1" date = "Jul 12 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1204.002" desc = "Excel 4.0 macro Auto_Open" @@ -2239,9 +2081,7 @@ rule warning_macrosheet_ip revision = "1" date = "Jul 12 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2020. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1204.002" desc = "IP Address in a Macrosheet" @@ -2264,9 +2104,7 @@ rule warning_excel_run { revision = "1" date = "Jul 12 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro execute" @@ -2288,9 +2126,7 @@ rule warning_excel_sheet_formula { revision = "1" date = "Jul 12 2021" author = "@tylabs" - release = "full" copyright = "tylabs.com (c) Copyright 2021. All rights reserved." - tlp = "green" sigtype = "cryptam_exploit" mitre = "T1059.005" desc = "Excel 4.0 macro execute" @@ -2302,3 +2138,50 @@ rule warning_excel_sheet_formula { all of them } + +rule exploit_cve_2021_40444 +{ + meta: + is_exploit = true + is_warning = false + is_feature = false + rank = 10 + revision = "3" + date = "Sep 8 2021" + desc = "CVE-2021-40444 external mhtml inclusion" + author = "@tylabs" + mitre = "T1203 T1204.002" + copyright = "tylabs.com (c) Copyright 2021. All rights reserved." + + strings: + $a = "schemas.openxmlformats.org" ascii nocase + $b = "TargetMode=\"External\"" ascii nocase + $c = "Target=\"mhtml:http" ascii nocase + $d = "mhtml:http" ascii nocase + $e = "mhtml:file" ascii nocase + + condition: + 3 of them +} + +rule warning_suspicious_mhtml_http +{ + meta: + is_exploit = false + is_warning = true + is_feature = false + rank = 1 + revision = "3" + date = "Sep 8 2021" + desc = "mhtml link or inclusion" + author = "@tylabs" + mitre = "" + copyright = "tylabs.com (c) Copyright 2021. All rights reserved." + + strings: + $a = "mhtml:http:" ascii nocase + $b = "mhtml:https:" ascii nocase + $c = "mhtml:file:" ascii nocase + condition: + any of them +} diff --git a/src/quicksand/quicksand_pdf.yara b/src/quicksand/quicksand_pdf.yara index 1b0f40b..43b69f4 100644 --- a/src/quicksand/quicksand_pdf.yara +++ b/src/quicksand/quicksand_pdf.yara @@ -10,8 +10,6 @@ rule shellcode_hash__CloseHandle { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash CloseHandle" @@ -33,8 +31,6 @@ rule shellcode_hash__CreateFileA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash CreateFileA" @@ -56,8 +52,6 @@ rule shellcode_hash__CreateProcessA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash CreateProcessA" @@ -80,8 +74,6 @@ rule shellcode_hash__DeleteFileA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash DeleteFileA" @@ -104,8 +96,6 @@ rule shellcode_hash__ExitProcess { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash ExitProcess" @@ -128,8 +118,6 @@ rule shellcode_hash__ExitThread { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash ExitThread" @@ -152,8 +140,6 @@ rule shellcode_hash__GetProcAddress { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash GetProcAddress" @@ -176,8 +162,6 @@ rule shellcode_hash__GetSystemDirectoryA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash GetSystemDirectoryA" @@ -200,8 +184,6 @@ rule shellcode_hash___hwrite { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash _hwrite" @@ -224,8 +206,6 @@ rule shellcode_hash___lclose { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash _lclose" @@ -248,8 +228,6 @@ rule shellcode_hash___lcreat { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash _lcreat" @@ -272,8 +250,6 @@ rule shellcode_hash__LoadLibraryA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash LoadLibraryA" @@ -296,8 +272,6 @@ rule shellcode_hash___lwrite { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash _lwrite" @@ -320,8 +294,6 @@ rule shellcode_hash__SetUnhandledExceptionFilter { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash SetUnhandledExceptionFilter" @@ -344,8 +316,6 @@ rule shellcode_hash__WaitForSingleObject { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash WaitForSingleObject" @@ -368,8 +338,6 @@ rule shellcode_hash__WinExec { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash WinExec" @@ -392,8 +360,6 @@ rule shellcode_hash__WriteFile { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash WriteFile" @@ -416,8 +382,6 @@ rule shellcode_hash__accept { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash accept" @@ -440,8 +404,6 @@ rule shellcode_hash__bind { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash bind" @@ -464,8 +426,6 @@ rule shellcode_hash__closesocket { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash closesocket" @@ -488,8 +448,6 @@ rule shellcode_hash__connect { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash connect" @@ -512,8 +470,6 @@ rule shellcode_hash__listen { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash listen" @@ -536,8 +492,6 @@ rule shellcode_hash__recv { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash recv" @@ -560,8 +514,6 @@ rule shellcode_hash__send { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash send" @@ -584,8 +536,6 @@ rule shellcode_hash__socket { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash socket" @@ -608,8 +558,6 @@ rule shellcode_hash__WSASocketA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash WSASocketA" @@ -632,8 +580,6 @@ rule shellcode_hash__WSAStartup { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash WSAStartup" @@ -656,8 +602,6 @@ rule shellcode_hash__URLDownloadToFileA { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "shellcode.hash URLDownloadToFileA" @@ -680,8 +624,6 @@ rule suspicious_shellcode_NOP_Sled { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_shellcode" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.shellcode NOP Sled" @@ -704,8 +646,6 @@ rule suspicious_obfuscation_using_unescape { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using unescape" @@ -733,8 +673,6 @@ rule suspicious_obfuscation_using_charCodeAt { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using charCodeAt" @@ -755,8 +693,6 @@ rule suspicious_string_nopblock { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string nopblock" @@ -777,8 +713,6 @@ rule suspicious_obfuscation_using_eval { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using eval" @@ -805,8 +739,6 @@ rule suspicious_javascript_object { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.javascript object" @@ -828,8 +760,6 @@ rule suspicious_javascript_in_XFA_block { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.javascript in XFA block" @@ -852,8 +782,6 @@ rule suspicious_pdf_embedded_PDF_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.pdf embedded PDF file" @@ -873,8 +801,6 @@ rule suspicious_obfuscation_toString { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation toString" @@ -895,8 +821,6 @@ rule suspicious_obfuscation_using_substr { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using substr" @@ -917,8 +841,6 @@ rule suspicious_obfuscation_using_String_replace { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using String.replace" @@ -940,8 +862,6 @@ rule suspicious_obfuscation_using_String_fromCharCode { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using String.fromCharCode" @@ -965,8 +885,6 @@ rule suspicious_obfuscation_using_substring { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using substring" @@ -987,8 +905,6 @@ rule suspicious_obfuscation_using_util_byteToChar { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using util.byteToChar" @@ -1008,8 +924,6 @@ rule suspicious_string_Shellcode_NOP_sled { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string Shellcode NOP sled" @@ -1030,8 +944,6 @@ rule suspicious_string_heap_spray_shellcode { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string heap spray shellcode" @@ -1052,8 +964,6 @@ rule suspicious_string_shellcode { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string shellcode" @@ -1074,8 +984,6 @@ rule suspicious_string__Run_Sploit_ { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string -Run_Sploit-" @@ -1096,8 +1004,6 @@ rule suspicious_string__HeapSpray_ { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string -HeapSpray-" @@ -1118,8 +1024,6 @@ rule suspicious_flash_writeMultiByte { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash writeMultiByte" @@ -1140,8 +1044,6 @@ rule suspicious_flash_addFrameScript { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash addFrameScript" @@ -1162,8 +1064,6 @@ rule suspicious_flash_Adobe_Shockwave_Flash_in_a_PDF_define_obj_type { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash Adobe Shockwave Flash in a PDF define obj type" @@ -1182,8 +1082,6 @@ rule suspicious_flash_obfuscated_name { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash obfuscated name" @@ -1203,8 +1101,6 @@ rule pdf_exploit_FlateDecode_Stream_Predictor_02_Integer_Overflow_CVE_2009_3459 revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit FlateDecode Stream Predictor 02 Integer Overflow CVE-2009-3459" @@ -1225,8 +1121,6 @@ rule pdf_exploit_colors_number_is_high_CVE_2009_3459 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit colors number is high CVE-2009-3459" @@ -1247,8 +1141,6 @@ rule pdf_exploit_URI_directory_traversal { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit URI directory traversal" @@ -1269,8 +1161,6 @@ rule pdf_exploit_URI_directory_traversal_system32 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit URI directory traversal system32" @@ -1291,8 +1181,6 @@ rule pdf_exploit_execute_EXE_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit execute EXE file" @@ -1313,8 +1201,6 @@ rule pdf_warning_openaction { revision = "1" date = "July 14 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.warning OpenAction" @@ -1335,8 +1221,6 @@ rule pdf_exploit_access_system32_directory { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit access system32 directory" @@ -1358,8 +1242,6 @@ rule pdf_warning_remote_action { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_active" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit action uri" @@ -1384,8 +1266,6 @@ rule pdf_exploit_execute_action_command { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit execute action command" @@ -1406,8 +1286,6 @@ rule pdf_exploit_printSeps_memory_heap_corruption_CVE_2010_4091 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit printSeps memory heap corruption CVE-2010-4091" @@ -1428,8 +1306,6 @@ rule suspicious_obfuscation_jjencoded_javascript { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation jjencoded javascript" @@ -1450,8 +1326,6 @@ rule suspicious_obfuscation_getAnnots_access_blocks { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation getAnnots access blocks" @@ -1475,8 +1349,6 @@ rule suspicious_obfuscation_info_Trailer_to_access_blocks { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation info.Trailer to access blocks" @@ -1497,8 +1369,6 @@ rule suspicious_obfuscation_using_app_setTimeOut_to_eval_code { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.obfuscation using app.setTimeOut to eval code" @@ -1519,8 +1389,6 @@ rule suspicious_string__shellcode_ { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string -shellcode-" @@ -1540,8 +1408,6 @@ rule pdf_exploit_Collab_collectEmailInfo_CVE_2008_0655 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit Collab.collectEmailInfo CVE-2008-0655" @@ -1563,8 +1429,6 @@ rule pdf_exploit_Collab_getIcon_CVE_2009_0927 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit Collab.getIcon CVE-2009-0927" @@ -1586,8 +1450,6 @@ rule pdf_suspicious_util_printd_used_to_fill_buffers { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.suspicious util.printd used to fill buffers" @@ -1607,8 +1469,6 @@ rule pdf_exploit_media_newPlayer_CVE_2009_4324 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit media.newPlayer CVE-2009-4324" @@ -1633,8 +1493,6 @@ rule pdf_exploit_spell_customDictionaryOpen_CVE_2009_1493 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit spell.customDictionaryOpen CVE-2009-1493" @@ -1655,8 +1513,6 @@ rule pdf_exploit_util_printf_CVE_2008_2992 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit util.printf CVE-2008-2992" @@ -1676,8 +1532,6 @@ rule pdf_exploit_using_TIFF_overflow_CVE_2010_0188 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit using TIFF overflow CVE-2010-0188" @@ -1698,8 +1552,6 @@ rule suspicious_string_TIFF_overflow_exploit_tif_name_CVE_2010_0188 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string TIFF overflow exploit.tif name CVE-2010-0188" @@ -1719,8 +1571,6 @@ rule suspicious_string_base_64_nop_sled_used_in_TIFF_overflow_CVE_2010_0188 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string base 64 nop sled used in TIFF overflow CVE-2010-0188" @@ -1744,8 +1594,6 @@ rule pdf_exploit_TIFF_overflow_CVE_2010_0188 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit TIFF overflow CVE-2010-0188" @@ -1767,8 +1615,6 @@ rule pdf_execute_access_system32_directory { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.execute access system32 directory" @@ -1788,8 +1634,6 @@ rule suspicious_string_obfuscated_unicode_NOP_sled { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.string obfuscated unicode NOP sled" @@ -1809,8 +1653,6 @@ rule suspicious_flash_Embedded_Flash { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash Embedded Flash" @@ -1836,8 +1678,6 @@ rule suspicious_flash_Embedded_Flash_define_obj { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.flash Embedded Flash define obj" @@ -1858,8 +1698,6 @@ rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_generic { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 generic" @@ -1880,8 +1718,6 @@ rule pdf_exploit_fontfile_SING_table_overflow_CVE_2010_2883_A { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit fontfile SING table overflow CVE-2010-2883 A" @@ -1901,8 +1737,6 @@ rule flash_exploit_CVE_2011_0609 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.exploit CVE-2011-0609" @@ -1924,8 +1758,6 @@ rule flash_exploit_CVE_2011_0611 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.exploit CVE-2011-0611" @@ -1951,8 +1783,6 @@ rule flash_suspicious_jit_spray { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.suspicious jit_spray" @@ -1972,8 +1802,6 @@ rule pdf_exploit_U3D_CVE_2011_2462_A { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit U3D CVE-2011-2462 A" @@ -1993,8 +1821,6 @@ rule pdf_exploit_PRC_CVE_2011_4369_A { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit PRC CVE-2011-4369 A" @@ -2014,8 +1840,6 @@ rule flash_exploit_flash_calling_malformed_MP4_CVE_2012_0754 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.exploit flash calling malformed MP4 CVE-2012-0754" @@ -2035,8 +1859,6 @@ rule flash_exploit_MP4_Loader_CVE_2012_0754_B { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.exploit MP4 Loader CVE-2012-0754 B" @@ -2056,8 +1878,6 @@ rule flash_exploit_MP4_CVE_2012_0754 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "flash.exploit MP4 CVE-2012-0754" @@ -2077,8 +1897,6 @@ rule pdf_exploit_Sandbox_Bypass_CVE_2013_0641 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit Sandbox Bypass CVE-2013-0641" @@ -2098,8 +1916,6 @@ rule pdf_exploit_BMP_RLE_integer_heap_overflow_CVE_2013_2729 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit BMP RLE integer heap overflow CVE-2013-2729" @@ -2120,8 +1936,6 @@ rule pdf_exploit_ToolButton_use_after_free_CVE_2014_0496 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit ToolButton use-after-free CVE-2014-0496" @@ -2142,8 +1956,6 @@ rule suspicious_javascript_addToolButton { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.javascript addToolButton" @@ -2163,8 +1975,6 @@ rule suspicious_embedded_doc_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded doc file" @@ -2184,8 +1994,6 @@ rule suspicious_embedded_xls_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded xls file" @@ -2206,8 +2014,6 @@ rule suspicious_embedded_ppt_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded ppt file" @@ -2229,8 +2035,6 @@ rule suspicious_embedded_scr_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded scr file" @@ -2251,8 +2055,6 @@ rule suspicious_embedded_exe_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded exe file" @@ -2273,8 +2075,6 @@ rule suspicious_embedded_bat_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded bat file" @@ -2295,8 +2095,6 @@ rule suspicious_embedded_rtf_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded rtf file" @@ -2317,8 +2115,6 @@ rule suspicious_embedded_mso_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded mso file" @@ -2339,8 +2135,6 @@ rule suspicious_embedded_html_file { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded html file" @@ -2361,8 +2155,6 @@ rule suspicious_embedded_OLE_document_header { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded OLE document header" @@ -2383,8 +2175,6 @@ rule suspicious_embedded_external_content { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "suspicious.embedded external content" @@ -2404,8 +2194,6 @@ rule pdf_exploit_Corrupted_JPEG2000_CVE_2018_4990 { revision = "1" date = "June 07 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit Corrupted JPEG2000 CVE-2018-4990" @@ -2425,8 +2213,6 @@ rule pdf_exploit_using_jbig2decode_CVE_2009_0658 { revision = "1" date = "July 20 2020" author = "@tylabs" - release = "full" - tlp = "amber" sigtype = "pdfexaminer_obfuscation" copyright = "Copyright 2020 tylabs.com. All rights reserved." desc = "pdf.exploit using JBIG2Decode CVE-2009-0658"