Yara Rules (ASCII ONLY) file for jsunpackn
Blake Hartstein
Last updated 09/18/2009
see "rules" for options that jsunpack supports
This is a special version of the rules file that strips off all non-[a-z] characters
rule PDFHiddenExploit: decodedPDF strip
{ // Basically a copy of PDFexploit, except:
// 1) we strip all characters we don't want
// 2) cannot use fullword
// 3) don't want duplicates if PDFexploit might already catch it
impact = 8
$cve20082992 = "utilprintf" nocase
$cve20091493 = "spellcustomDictionaryOpen" nocase
$cve20075659 = "collabcollectEmailInfo" nocase
$cve20090927 = "collabgetIcon" nocase
1 of them