Merge pull request #321 from sdu6342/master

Add Malicious_Documents/Maldoc_Suspicious_OLE_target.yar
Yara-Rules · Aug 7, 2018 · 14fb793 · 14fb793
2 parents b496aad + ac4c76d
commit 14fb793
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/Malicious_Documents/Maldoc_Suspicious_OLE_target.yar b/Malicious_Documents/Maldoc_Suspicious_OLE_target.yar
@@ -0,0 +1,14 @@
+rule Maldoc_Suspicious_OLE_target {
+  meta:
+    description =  "Detects maldoc With Tartgeting Suspicuios OLE"
+    author = "Donguk Seo"
+    reference = "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/"
+    filetype = "Office documents"
+    date = "2018-06-13"
+  strings:
+    $env1 = /oleObject".*Target=.*.http.*.doc"/
+    $env2 = /oleObject".*Target=.*.http.*.ppt"/
+    $env3 = /oleObject".*Target=.*.http.*.xlx"/
+  condition:
+    any of them
+}
diff --git a/Malicious_Documents_index.yar b/Malicious_Documents_index.yar
@@ -18,3 +18,4 @@ include "./Malicious_Documents/Maldoc_VBA_macro_code.yar"
 include "./Malicious_Documents/Maldoc_Word_2007_XML_Flat_OPC.yar"
 include "./Malicious_Documents/Maldoc_malrtf_ole2link.yar"
 include "./Malicious_Documents/maldoc_somerules.yar"
+include "./Malicious_Documents/Maldoc_Suspicious_OLE_target.yar"