[clamav-users] Regex in yara sig and clamav
Lionel PRAT
lionel.prat9 at gmail.com
Tue Jul 11 13:10:06 UTC 2017
Hi,
I want to use signature "Docm_in_PDF" of Florian Roth in clamscan (above).
If I run with yara command, no problem, I detect virus on my sample.
But if I use clamscan, regexp don't match! I try to call command with
option "--scan-pdf=no", but same result.
If I create new file content "ABCDEF" and i create yara rule with
regexp "$re1 = /ABCD/", it's match ...
Do you know why? Can you help me please.
Thank you!
Lionel
rule Docm_in_PDF {
meta:
description = "Detects an embedded DOCM in PDF combined with OpenAction"
author = "Florian Roth"
reference = "Internal Research"
date = "2017-05-15"
strings:
$a1 = /<<\/Names\[\([\w]{1,12}.docm\)/ ascii
$a2 = "OpenAction" ascii fullword
$a3 = "JavaScript" ascii fullword
condition:
uint32(0) == 0x46445025 and all of them
}
More information about the clamav-users
mailing list