Hi,
I want to use signature "Docm_in_PDF" of Florian Roth in clamscan (above).
If I run with yara command, no problem, I detect virus on my sample.
But if I use clamscan, regexp don't match! I try to call command with
option "--scan-pdf=no", but same result.
If I create new file content "ABCDEF" and i create yara rule with
regexp "$re1 = /ABCD/", it's match ...
Do you know why? Can you help me please.
Thank you!
Lionel
rule Docm_in_PDF {
meta:
description = "Detects an embedded DOCM in PDF combined with OpenAction"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-05-15"
strings:
$a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
$a2 = "OpenAction" ascii fullword
$a3 = "JavaScript" ascii fullword
condition:
uint32(0) == 0x46445025 and all of them
}
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
