Yara Rule - 예를 들어 이름이라는 파일을 감지명확한 텍스트 비밀번호를 포함 할 수 있지만 MS Office에서 암호가 보호되는 Password.xlsx
Yara 정의.
Yara Rule - Detects files named e.g. password.xlsx, which might contain clear text passwords, but are password protected from MS Office
Yara definition.
Author: Arnim Rupp (https://github.com/ruppde)
Internal Research
and math.entropy(0, 1024) >= 7.0
date = "2023-10-04"
score = 60
and uint32be(0) == 0xd0cf11e0 // xls
and uint32be(0) == 0x504b0304 // unencrypted xlsx = pkzip
date = "2023-10-04"
score = 50
and uint32be(0) == 0xd0cf11e0 // encrypted xlsx = CDFV2```
[https://github.com/Neo23x0/signature-base/commit/1e90ec68f70b1c4df0d50ffdbf5c586177cf6849](https://github.com/Neo23x0/signature-base/commit/1e90ec68f70b1c4df0d50ffdbf5c586177cf6849)