forked from InQuest/yara-rules-vt
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Word_Document_with_Suspicious_Metadata.yar
79 lines (78 loc) · 3.17 KB
/
Word_Document_with_Suspicious_Metadata.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
rule Word_Document_with_Suspicious_Metadata
{
meta:
author = "InQuest Labs"
description = "This signature detects suspicious metadata within a Microsoft Word document. Document properties, also known as metadata, are details about a file that describe or identify it. Document properties include details such as title, author name, operator, subject, and keywords that identify the document's topic or contents."
created_date = "2022-03-15"
updated_date = "2022-03-15"
blog_reference = "https://www.schneier.com/blog/archives/2005/11/metadata_in_ms.html"
labs_reference = "https://labs.inquest.net/dfi/sha256/db0037a9753c364022af4bb7d578996b78ccc3c28b01c6632ccd95a69d49d67c"
labs_pivot = "https://labs.inquest.net/dfi/search/alert/Suspicious%20XMP%20Identifier"
samples = "db0037a9753c364022af4bb7d578996b78ccc3c28b01c6632ccd95a69d49d67c"
strings:
$rtf1 = /^\x7b\x5c\x72\x74/ /* {\\rt */
$rtf2 = "Microsoft Office Word"
$a0 = { 07 74 6E 61 75 74 68 6F 72 20 4A 6F 68 6E 20 44 6F 65 7D }
$a1 = "Vjkygdjdtyuj" nocase
$a2 = "{\\*\\company \\'ce\\'a2\\'c8\\'ed\\'d6\\'d0\\'b9\\'fa"
$a3 = "{\\author author000}"
$a4 = "{\\operator author000}"
$a5 = "{\\*\\company google}"
$a7 = "Tran Duy Linh"
$a8 = "DLC Corporation"
$a9 = "{\\author testhome}"
$a10 = "{\\operator testhome}"
$a11 = "{\\author Nkosi Moyo"
$a12 = "{\\operator Victor Ignatiev"
$a13 = "{\\*\\company ECOBANK}"
$a14 = "{\\title Your Company Name}"
$a15 = "{\\author Geoffrey Draper}"
$a16 = "{\\*\\company Le Grand Marketing}"
$a17 = "{\\author kirichek"
$a18 = "{\\title \\'c1\\'cb\\'c0\\'cd\\'ca \\'c7\\'c0\\'ca\\'c0\\'c7\\'c0}"
$a19 = "{\\operator admin}"
$a20 = "{\\author joy}"
$a21 = "{\\operator PMALO}"
$a23 = "{\\operator test}"
$a24 = "{\\author Stone"
$a25 = "{\\operator Stone"
$a26 = "{\\title A* }"
$a27 = "{\\author xxxxxxxxx}"
$a28 = "{\\operator xxxxxxxxx}"
$a29 = "{\\author xxx}"
$a30 = "{\\operator xxx}"
$a31 = "{\\*\\company 1stconsult}"
$a32 = "{\\author user}"
$a33 = "{\\operator user}"
$a34 = "{\\*\\company ooo}"
$a35 = "{\\author \\'cf\\'e0\\'e2\\'e5\\'eb}"
$a36 = "{\\operator 1}"
$a37 = "{\\author blursight}"
$a38 = "{\\operator blursight}"
$a39 = "{\\author MC SYSTEM}"
$a40 = "{\\operator MC SYSTEM}"
$a41 = "{\\*\\company MC SYSTEM}"
$a42 = "{\\author Work}"
$a43 = "{\\operator JSman}"
$a44 = "{\\*\\company Grizli777}"
$a45 = "{\\author wingdbg}"
$a46 = "{\\operator wingdbg}"
$a47 = "{\\author Dmk}"
$a48 = "{\\operator Dmk}"
$a49 = "{\\author TSEEDUP}"
$a50 = "{\\author conqueror}"
$a51 = "{\\operator conqueror}"
$mil1 = "\\0CF11E0A1B11AE10000000"
$mil2 = "\\author abc}{\\operator abc"
$mil3 = "{\\info{\\title }{\\author admin"
$mil4 = "title AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAA}{\\author bbk}"
$mil5 = "{\\author Microsoft"
$mil6 = "{\\creatim\\yr2010\\mo11\\dy29\\hr16\\min35}"
$mil7 = "author xp"
$mil10 = "D0CF11E0A1B11AE"
$mil11 = "\\info{itle Template}{uthor John Doe}}"
$mil12 = "\\title aaa"
$mil13 = "tnauthor leeyth"
condition:
1 of ($rtf*) and any of ($a*,$mil*)
}