diff --git a/cve_rules/CVE-2017-11882.yar b/cve_rules/CVE-2017-11882.yar index 47da6b83..f959734e 100644 --- a/cve_rules/CVE-2017-11882.yar +++ b/cve_rules/CVE-2017-11882.yar @@ -5,9 +5,8 @@ rule potential_CVE_2017_11882 { meta: - author = "ReversingLabs" - reference = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html" - + author = "Hyeonu Chun" + strings: $docfilemagic = { D0 CF 11 E0 A1 B1 1A E1 } @@ -32,7 +31,7 @@ rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 { author = "John Davison" description = "Attempts to identify the exploit CVE 2017 11882" reference = "https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about" - sample = "51cf2a6c0c1a29abca9fd13cb22421da" + hash256 = "ff9bf989ddd0581391ab9bd9a669a7f76ee69335c96026486d5aec18938e98e6" score = 60 //file_name = "re:^stream_[0-9]+_[0-9]+.dat$" strings: @@ -40,8 +39,9 @@ rule rtf_cve2017_11882_ole : malicious exploit cve_2017_11882 { $font = { 0a 01 08 5a 5a } // <-- I think that 5a 5a is the trigger for the buffer overflow //$code = /[\x01-\x7F]{44}/ $winexec = { 12 0c 43 00 } + $hex_values = { 50 4B 03 04 14 00 02 00 08 00 C8 01 74 57 3E 7A 9B B7 8C 01 00 00 4B 06 00 00 13 00 11 00 5B 43 6F 6E 74 65 6E 74 5F 54 79 70 65 73 5D 2E 78 6D 6C 55 54 0D 00 07 EC A4 5A 65 EC A4 5A 65 EC A4 5A 65 CD 55 4B 4B 2B 31 14 DE 5F F0 3F 0C D9 CA 24 AD 82 C8 A5 A3 0B 1F 4B 2D A8 3F E0 4C 72 DA C6 E6 45 72 AC ED BF F7 CC 54 BD 70 A1 83 A5 82 6E 66 18 32 DF 33 27 64 72 B9 F6 AE 5A 61 2E 36 } condition: - all of them and @font > @headers and @winexec == @font + 5 + 44 + any of them } // same as above but for RTF documents @@ -62,5 +62,5 @@ rule rtf_cve2017_11882 : malicious exploit cve_2017_1182 { $font = { 30 61 30 31 30 38 35 61 35 61 } $winexec = { 31 32 30 63 34 33 30 30 } condition: - all of them and @font > @headers and @winexec == @font + ((5 + 44) * 2) + any of them }