all InfoSec news
Quickpost: PDF/ActiveMime Maldocs YARA Rule
Aug. 29, 2023, 6:16 p.m. | MalBot
Malware Analysis, News and Indicators - Latest topics malware.news
Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“.
It looks for files that start with %PDF- (this header can be obfuscated) and contain string QWN0aXZlTWlt (string ActiveMim in BASE64), possibly obfuscated with whitespace characters.
rule rule_pdf_activemime {
meta:
author = "Didier Stevens"
date = "2023/08/29"
version = "0.0.1"
samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
description = "look for files that start with %PDF- and contain BASE64 encoded string …
analysis author base64 characters detect didier didier stevens files header maldocs malware analysis meta obfuscated pdf polyglot quickpost start yara
More from malware.news / Malware Analysis, News and Indicators - Latest topics
The real reason antivirus software detects cracks
1 day, 2 hours ago |
malware.news
Update: what-is-new.py Version 0.0.4
1 day, 6 hours ago |
malware.news
The CTI Analyst Challenge
1 day, 8 hours ago |
malware.news
Jobs in InfoSec / Cybersecurity
CyberSOC Technical Lead
@ Integrity360 | Sandyford, Dublin, Ireland
Cyber Security Strategy Consultant
@ Capco | New York City
Cyber Security Senior Consultant
@ Capco | Chicago, IL
Senior Security Researcher - Linux MacOS EDR (Cortex)
@ Palo Alto Networks | Tel Aviv-Yafo, Israel
Sr. Manager, NetSec GTM Programs
@ Palo Alto Networks | Santa Clara, CA, United States
SOC Analyst I
@ Fortress Security Risk Management | Cleveland, OH, United States