-
Notifications
You must be signed in to change notification settings - Fork 37
/
oleidentifiers.yara
265 lines (247 loc) · 9.82 KB
/
oleidentifiers.yara
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
include "filetypes.yara"
/*
These string lists generated on the command line by:
Author:
file ~/samples/all/* | perl -ne 'if(/Author: (.*?), Template:/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq
Title:
$ file ~/samples/all/* | perl -ne 'if(/Title: (.*?), Author:/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq
Last Saved By:
$ file ~/samples/all/* | perl -ne 'if(/Last Saved By: (.*?), Revision/) { $x = $1; $x =~ s/\"/\\\"/g; while($x =~ /\\(\d{3})/) { $n = oct($1); $nn = sprintf("%02x",$n); $x =~ s/\\$1/\\x$nn/; chomp $x; } print " \$ = \"\\x00$x\\x00\\x1e\"\n"; };' | sort | uniq
*/
rule OLEAuthor : Author OLEMetadata
{
meta:
description = "Identifier for known OLE document authors"
author = "Seth Hardy"
last_modified = "2014-05-07"
strings:
$ = "\x00111\x00\x1e"
$ = "\x0011\x00\x1e"
$ = "\x00123\x00\x1e"
$ = "\x002chu\x00\x1e"
$ = "\x007513A3DEA183474\x00\x1e"
$ = "\x00abc\x00\x1e"
$ = "\x00Administrator\x00\x1e"
$ = "\x00admin\x00\x1e"
$ = "\x00Aggarwal, Aakash\x00\x1e"
$ = "\x00beat\x00\x1e"
$ = "\x00Ben\x00\x1e"
$ = "\x00bf\x00\x1e"
$ = "\x00Booksway\x00\x1e"
$ = "\x00Bosh\x00\x1e"
$ = "\x00captain\x00\x1e"
$ = "\x00CC2\x00\x1e"
$ = "\x00cyano\x00\x1e"
$ = "\x00Dinesh\x00\x1e"
$ = "\x00Dolker\x00\x1e"
$ = "\x00Drokpa\x00\x1e"
$ = "\x00Findo\x00\x1e"
$ = "\x00FLORINE DATESSEN\x00\x1e"
$ = "\x00funghain\x00\x1e"
$ = "\x00HealthDeptt-01\x00\x1e"
$ = "\x00hy9901a\x00\x1e"
$ = "\x00IBM User\x00\x1e"
$ = "\x00IBM\x00\x1e"
$ = "\x00Igny\x00\x1e"
$ = "\x00IITK\x00\x1e"
$ = "\x00I. K\x00\x1e"
$ = "\x00Jamal Al-Masraf\x00\x1e"
$ = "\x00Joyce Havinga\x00\x1e"
$ = "\x00kalume\x00\x1e"
$ = "\x00Karma\x00\x1e"
$ = "\x00karmayeshi\x00\x1e"
$ = "\x00KChase\x00\x1e"
$ = "\x00ken\x00\x1e"
$ = "\x00khenrab\x00\x1e"
$ = "\x00Kunga Tashi\x00\x1e"
$ = "\x00Lenovo User\x00\x1e"
$ = "\x00Lenovo\x00\x1e"
$ = "\x00lenovo\x00\x1e"
$ = "\x00Lharisang\x00\x1e"
$ = "\x00Luitgard Hammerer\x00\x1e"
$ = "\x00MC SYSTEM\x00\x1e"
$ = "\x00mpzhang\x00\x1e"
$ = "\x00neuroking\x00\x1e"
$ = "\x00Ngawang Gelek\x00\x1e"
$ = "\x00niu2\x00\x1e"
$ = "\x00Owner\x00\x1e"
$ = "\x00pema tashi\x00\x1e"
$ = "\x00pepe\x00\x1e"
$ = "\x00perhat64\x00\x1e"
$ = "\x00Remote\x00\x1e"
$ = "\x00ResuR\x00\x1e"
$ = "\x00roy\x00\x1e"
$ = "\x00Samphel\x00\x1e"
$ = "\x00sard\x00\x1e"
$ = "\x00shirley\x00\x1e"
$ = "\x00shungqar\x00\x1e"
$ = "\x00Sofia Olsson\x00\x1e"
$ = "\x00Sonam Dolkar\x00\x1e"
$ = "\x00Son Huynh Hong\x00\x1e"
$ = "\x00system\x00\x1e"
$ = "\x00teguete\x00\x1e"
$ = "\x00tensangmo\x00\x1e"
$ = "\x00tenzin1959\x00\x1e"
$ = "\x00Tenzin\x00\x1e"
$ = "\x00Tran Duy Linh\x00\x1e"
$ = "\x00Traudl\x00\x1e"
$ = "\x00Tsedup\x00\x1e"
$ = "\x00Tsering Tamding\x00\x1e"
$ = "\x00unknown\x00\x1e"
$ = "\x00USER\x00\x1e"
$ = "\x00User\x00\x1e"
$ = "\x00user\x00\x1e"
$ = "\x00votoystein\x00\x1e"
$ = "\x00walkinnet\x00\x1e"
$ = "\x00World Uyghur Congress\x00\x1e"
$ = "\x00www\x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00\xf4_y\xb7\x80\x05\x9e\xbf\x00\x1e"
$ = "\x00xp\x00\x1e"
$ = "\x00YCanPDF\x00\x1e"
$ = "\x00y\x00\x1e"
$ = "\x00zsh\x00\x1e"
condition:
IsOLE and (any of them)
}
rule OLETitle : Title OLEMetadata
{
meta:
description = "Identifier for known OLE document titles"
author = "Seth Hardy"
last_modified = "2014-05-07"
strings:
$ = "\x0001:00\x00\x1e"
$ = "\x00 23-Aprel chushidin keyin saet bir yirim,Xitayning 3 neper paylaqchisi seriqbuya yezida oy arilap yurup paylaqchiliq qiliwatqanda bir oyge toplann\xcaghan bir gurup uyghur yashlarni korgen we ularning yenida pichaq we tam teshidighan eswablarni korup gum\x00\x1e"
$ = "\x0046-120603 fice W648\x00\x1e"
$ = "\x0054-120602 15s\xb7K\x0c]\xb7\x00\x1e"
$ = "\x005-Iyul Urumchi Qirghinchiliqi heqide qisqiche Dokilat \x00\x1e"
$ = "\x00April 20-21, 2013\x00\x1e"
$ = "\x00asdfasdfasdf\x00\x1e"
$ = "\x00Bamako, le 04 d\x00\x1e"
$ = "\x00Best\x00\x1e"
$ = "\x00Dear All,\x00\x1e"
$ = "\x00Dear President and Executive Members,\x00\x1e"
$ = "\x00Full list of self-immolations in Tibet\x00\x1e"
$ = "\x00Help stop the destruction of my home, Lhasa, Tibet\x00\x1e"
$ = "\x00HHDL'visit in European\x00\x1e"
$ = "\x00II) Overview & Analysis:\x00\x1e"
$ = "\x00Institute for Defence Studies and Analyses\x00\x1e"
$ = "\x00IPT APPLICATION FORM\x00\x1e"
$ = "\x00Jharkhand supports Indian Parliamentary resolution on Tibet crisis\x00\x1e"
$ = "\x00Lieutenant General KENOSE BARRY PHILLIPE,\x00\x1e"
$ = "\x00OPERATIONAL MANUAL:\x00\x1e"
$ = "\x00PART 2 - Overview and Analysis\x00\x1e"
$ = "\x00PowerPoint Presentation\x00\x1e"
$ = "\x00Progress Chart: 15\x00\x1e"
$ = "\x00Progress Chart:\x00\x1e"
$ = "\x00Progress Chart\x00\x1e"
$ = "\x00RC\x00\x1e"
$ = "\x00(RESENDING)\x00\x1e"
$ = "\x00Talking Points EU-China Human Rights Dialogue June 2011\x00\x1e"
$ = "\x00TANC Community Center\x00\x1e"
$ = "\x00The Charg\x00\x1e"
$ = "\x00The following schedule of plans has been finalized for the purpose of holding the Second Special General Meeting of Tibetans being organized jointly by the Tibetan Parliament-in-Exile and the Kashag headed by the Kalon Tripa in accordance with the provis\x00\x1e"
$ = "\x00The Tibet Museum Project\x00\x1e"
$ = "\x00Tibetan Community in Switzerland & Liechtenstein, Binzstrasse 15, CH-8045 Zurich, Switzerland \x00\x1e"
$ = "\x00TSERING BHUTI\x00\x1e"
$ = "\x00Tsering Bhuti\x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00#\x00\x1e"
$ = "\x00\x8d\x00\x1e"
$ = "\x00\x8d\x9a\x06\xb7\x00\x1e"
$ = "\x00\xc8\xf8!\xb7\x00\x1e"
$ = "\x00Yes, I would like to raise this point: how many more young Tibetan lives are to be sacrificed in these awful self immolations before China is likely to change its Tibet policies in favour of Tibetan autonomy\x00\x1e"
condition:
IsOLE and (any of them)
}
rule OLELastSavedBy : LastSavedBy OLEMetadata
{
meta:
description = "Identifier for known OLE document Last Saved By field"
author = "Seth Hardy"
last_modified = "2014-05-07"
strings:
$ = "\x00111\x00\x1e"
$ = "\x0011\x00\x1e"
$ = "\x00123\x00\x1e"
$ = "\x00Administrator\x00\x1e"
$ = "\x00Admin\x00\x1e"
$ = "\x00Alex\x00\x1e"
$ = "\x00Audit\x00\x1e"
$ = "\x00A\x00\x1e"
$ = "\x00beat\x00\x1e"
$ = "\x00Ben\x00\x1e"
$ = "\x00bf\x00\x1e"
$ = "\x00Booksway\x00\x1e"
$ = "\x00Bosh\x00\x1e"
$ = "\x00captain\x00\x1e"
$ = "\x00CL_nelson\x00\x1e"
$ = "\x00Core\x00\x1e"
$ = "\x00cyano\x00\x1e"
$ = "\x00dainzin\x00\x1e"
$ = "\x00Dolker\x00\x1e"
$ = "\x00Findo\x00\x1e"
$ = "\x00FLORINE DATESSEN\x00\x1e"
$ = "\x00funghain\x00\x1e"
$ = "\x00HP\x00\x1e"
$ = "\x00hy9901a\x00\x1e"
$ = "\x00IBM User\x00\x1e"
$ = "\x00IBM\x00\x1e"
$ = "\x00Igny\x00\x1e"
$ = "\x00I. K\x00\x1e"
$ = "\x00ITCO\x00\x1e"
$ = "\x00jds\x00\x1e"
$ = "\x00Joyce Havinga\x00\x1e"
$ = "\x00karmayeshi\x00\x1e"
$ = "\x00ken\x00\x1e"
$ = "\x00khenrab\x00\x1e"
$ = "\x00Kunga Tashi\x00\x1e"
$ = "\x00lebrale\x00\x1e"
$ = "\x00Lenovo User\x00\x1e"
$ = "\x00Lenovo\x00\x1e"
$ = "\x00lenovo\x00\x1e"
$ = "\x00Lharisang\x00\x1e"
$ = "\x00Lhundup Damcho\x00\x1e"
$ = "\x00MC SYSTEM\x00\x1e"
$ = "\x00mm\x00\x1e"
$ = "\x00mpzhang\x00\x1e"
$ = "\x00neuroking\x00\x1e"
$ = "\x00niu2\x00\x1e"
$ = "\x00Normal.d\x00\x1e"
$ = "\x00Normal.w\x00\x1e"
$ = "\x00Normal\x00\x1e"
$ = "\x00one\x00\x1e"
$ = "\x00Owner\x00\x1e"
$ = "\x00pema tashi\x00\x1e"
$ = "\x00pepe\x00\x1e"
$ = "\x00PhiDiem\x00\x1e"
$ = "\x00ResuR\x00\x1e"
$ = "\x00roy\x00\x1e"
$ = "\x00Samphel\x00\x1e"
$ = "\x00system\x00\x1e"
$ = "\x00TCC Dhasa1\x00\x1e"
$ = "\x00tensangmo\x00\x1e"
$ = "\x00Tenzin\x00\x1e"
$ = "\x00test\x00\x1e"
$ = "\x00Tibet Ever\x00\x1e"
$ = "\x00Tran Duy Linh\x00\x1e"
$ = "\x00Traudl\x00\x1e"
$ = "\x00unknown\x00\x1e"
$ = "\x00User\x00\x1e"
$ = "\x00user\x00\x1e"
$ = "\x00USR\x00\x1e"
$ = "\x00walkinnet\x00\x1e"
$ = "\x00WIN7\x00\x1e"
$ = "\x00www\x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00 \x00\x1e"
$ = "\x00y\x00\x1e"
condition:
IsOLE and (any of them)
}