From 625af71c900833120e6c14ca0a6e384af4a92210 Mon Sep 17 00:00:00 2001
From: mmorenog <mmorenog@users.noreply.github.com>
Date: Thu, 30 Apr 2015 13:02:30 +0200
Subject: [PATCH] Update malicious_document.yar

Add a rule
---
 malicious_document.yar | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/malicious_document.yar b/malicious_document.yar
index 92a443d5..d7f0023c 100644
--- a/malicious_document.yar
+++ b/malicious_document.yar
@@ -155,3 +155,18 @@ rule maldoc_suspicious_strings
     condition:
         any of them
 }
+
+rule mwi_document : exploitdoc
+{
+    meta:
+        description = "MWI generated document"
+        author = "@Ydklijnsma"
+        source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
+    strings:
+        $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
+        $mwistat_url = "image.php?id="
+        $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
+ 
+    condition:
+        all of them
+}