all InfoSec news
Quickpost: PDF/ActiveMime Maldocs YARA Rule
Aug. 29, 2023, 6:16 p.m. | MalBot
Malware Analysis, News and Indicators - Latest topics malware.news
Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“.
It looks for files that start with %PDF- (this header can be obfuscated) and contain string QWN0aXZlTWlt (string ActiveMim in BASE64), possibly obfuscated with whitespace characters.
rule rule_pdf_activemime {
meta:
author = "Didier Stevens"
date = "2023/08/29"
version = "0.0.1"
samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058"
description = "look for files that start with %PDF- and contain BASE64 encoded string …
analysis author base64 characters detect didier didier stevens files header maldocs malware analysis meta obfuscated pdf polyglot quickpost start yara
More from malware.news / Malware Analysis, News and Indicators - Latest topics
Showcasing Artwork by Max for Autism Awareness Month
1 day, 11 hours ago |
malware.news
Kaiser Permanente notifies 13.4M patients of potential data exposure
1 day, 12 hours ago |
malware.news
Jobs in InfoSec / Cybersecurity
SOC 2 Manager, Audit and Certification
@ Deloitte | US and CA Multiple Locations
Associate Principal Security Engineer
@ Activision Blizzard | Work from Home - CA
Security Engineer- Systems Integration
@ Meta | Bellevue, WA | Menlo Park, CA | New York City
Lead Security Engineer (Digital Forensic and IR Analyst)
@ Blue Yonder | Hyderabad
Senior Principal IAM Engineering Program Manager Cybersecurity
@ Providence | Redmond, WA, United States
Information Security Analyst II or III
@ Entergy | The Woodlands, Texas, United States