commit dcb3a9c: [Minor] Lua_content: Add some more PDF stuff
Vsevolod Stakhov
vsevolod at highsecure.ru
Wed Nov 27 14:49:06 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-11-27 14:37:28 +0000
URL: https://github.com/rspamd/rspamd/commit/dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892 (HEAD -> master)
[Minor] Lua_content: Add some more PDF stuff
---
lualib/lua_content/pdf.lua | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua
index 588117fc7..a531396db 100644
--- a/lualib/lua_content/pdf.lua
+++ b/lualib/lua_content/pdf.lua
@@ -32,14 +32,21 @@ local pdf_patterns = {
},
javascript = {
patterns = {
- [[\s|>/JS]],
- [[\s|>/JavaScript]],
+ [[/JS(?:[\s/><])]],
+ [[/JavaScript(?:[\s/><])]],
+ }
+ },
+ openaction = {
+ patterns = {
+ [[/OpenAction(?:[\s/><])]],
+ [[/AA(?:[\s/><])]],
}
},
suspicious = {
patterns = {
[[netsh\s]],
[[echo\s]],
+ [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation
}
}
}
@@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output)
output.javascript = true
end
+processors.openaction = function(_, task, _, output)
+ lua_util.debugm(N, task, "pdf: found openaction tag")
+ output.openaction = true
+end
+
processors.suspicious = function(_, task, _, output)
lua_util.debugm(N, task, "pdf: found a suspicious pattern")
output.suspicious = true
More information about the Commits
mailing list