Creating a YARA Rule to Detect Obfuscated Strings

These polyglot files are PDF files into which an Office document (for example, a Single File Web Page Word document) has been embedded (in various ways). When a Word document with VBA code is saved as a Single File Web Page, the ole file with the VBA code is stored inside an ActiveMime file.

This article explains how to create a YARA rule to detect obfuscated strings in PDF/ActiveMime polyglot malicious document files. The rule was developed by Didier Stevens, a Senior Handler and Microsoft MVP, and is available on his GitHub repository. It looks for a PDF header at the start of the file and contains the string "ActiveMime" in BASE64, interspersed with whitespace characters. To make the rule more performant, a set of regular expressions was made that all start with 3 fixed characters, by generating all the possible combinations. However, YARA issues a warning that it may slow down scanning, so it can only be used for ad-hoc detection, not for intensive scanning.

The article also mentions that malicious maldocs in-the-wild have more obfuscation methods, such as the MIME-Version header, and that it is possible to significantly reduce the MIME file in size. Additionally, PDF files need to start with the header %PDF- at the first position in the file according to the PDF language specification, but PDF parsers are lenient and the %PDF- header can be located later in the file. The YARA rule created by Stevens does not account for this.

In conclusion, this article provides an overview of a YARA rule created by Didier Stevens to detect malicious PDF files, as well as some additional information about malicious maldocs and the PDF language specification. It explains how to create a YARA rule to detect obfuscated strings in PDF/ActiveMime polyglot malicious document files, and provides a warning that it may slow down scanning. It also provides information about additional obfuscation methods and the PDF language specification.

📓 Creating a YARA Rule to Detect Obfuscated Strings

👉🏽 These polyglot files are PDF files into which an Office document (for example, a Single File Web Page Word document) has been embedded (in various ways). When a Word document with VBA code is saved as a Single File Web Page, the ole file with the VBA code is stored inside an ActiveMime file. 👉🏽 Creating a YARA rule to detect obfuscated strings in PDF/ActiveMime polyglot malicious documents. 👉🏽 Rule developed by Didier Stevens, a Senior Handler and Microsoft MVP. 👉🏽 Rule looks for PDF header and string "ActiveMime" in BASE64 with whitespace characters. 👉🏽 Regular expressions with 3 fixed characters generated for more performant scanning. 👉🏽 YARA warns that scanning may slow down, limiting use to ad-hoc detection. 👉🏽 Malicious maldocs in-the-wild use other obfuscation methods like MIME-Version header. 👉🏽 Possible to significantly reduce MIME file size. 👉🏽 PDF files should start with %PDF- header, but parsers are lenient. 👉🏽 Stevens' YARA rule does not account for PDF header location variations. 👉🏽 Provides overview of YARA rule, additional obfuscation methods, and PDF language specification.

🔗 source link: https://isc.sans.edu/diary/30186

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/creating-a-yara-rule-to-detect-obfuscated-strings

#YARArule #ObfuscatedStrings #PDFActiveMime #MaliciousMaldocs #PDFSpecification