Common Information
Type Value
Value
rule MaldocinPDF {
	meta:
		description = "Detecting MalDocs in PDF"
	strings:
		$mht0 = "mime" ascii nocase
		$mht1 = "content-location:" ascii nocase
		$mht2 = "content-type:" ascii nocase
		$mht3 = "Edit-Time-Data" ascii nocase
		$doc = "<w:WordDocument>" ascii nocase
		$xls = "<x:ExcelWorkbook>" ascii nocase
	condition:
		(uint32(0) == 0x46445025) and (2 of ($mht*)) and ((1 of ($doc)) or (1 of ($xls)))
}
Category
Type Yara Rule
Misp Type
Description
Details Published Attributes CTI Title
Details Website 2023-08-30 8 Analysis of ‘MalDoc in PDF’