Analysis of ‘MalDoc in PDF’
Common Information
Type Value
UUID 7a5eed6f-acfd-4b28-a613-6950d5a5a007
Fingerprint a2e53b5209a713af
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 30, 2023, 10:28 a.m.
Added to db Aug. 31, 2024, 7:09 a.m.
Last updated Aug. 31, 2024, 8:56 p.m.
Headline Analysis of ‘MalDoc in PDF’
Title Analysis of ‘MalDoc in PDF’
Detected Hints/Tags/Attributes 25/2/8
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 169 Maldoc on Medium https://medium.com/feed/tag/maldoc 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 3
cloudmetricsapp.com
Details File 1
0723request.pdf
Details File 1
image7891805.jpg
Details File 1
macro.bin
Details sha256 4
ef59d7038cfd565fd65bae12588810d5361df938244ebad33b71882dcf683058
Details IPv4 1
179.60.147.105
Details Url 1
https://cloudmetricsapp.com/wp-content/uploads/docs/addin.msi
Details Yara rule 1
rule MaldocinPDF {
	meta:
		description = "Detecting MalDocs in PDF"
	strings:
		$mht0 = "mime" ascii nocase
		$mht1 = "content-location:" ascii nocase
		$mht2 = "content-type:" ascii nocase
		$mht3 = "Edit-Time-Data" ascii nocase
		$doc = "<w:WordDocument>" ascii nocase
		$xls = "<x:ExcelWorkbook>" ascii nocase
	condition:
		(uint32(0) == 0x46445025) and (2 of ($mht*)) and ((1 of ($doc)) or (1 of ($xls)))
}