Add support for github.com/InQuest/yara-rules-vt (#250)

* Import Inquest VT rules * Rename inquest to InQuest-VT
chainguard-dev · Jun 6, 2024 · 9e2f2ac · 9e2f2ac
1 parent 1c18c49
commit 9e2f2ac
Show file tree

Hide file tree

Showing 45 changed files with 1,072 additions and 0 deletions.
diff --git a/pkg/compile/compile.go b/pkg/compile/compile.go
@@ -41,6 +41,8 @@ var badRules = map[string]bool{
 	"vsftpd_greyware_tool_keyword":               true,
 	"blackcat_ransomware_offensive_tool_keyword": true,
 	"mythic_offensive_tool_keyword":              true,
+	// YARA VT
+	"Windows_API_Function": true,
 }
 
 // rulesWithWarnings determines what to do with rules that have known warnings: true=keep, false=disable.
@@ -50,6 +52,9 @@ var rulesWithWarnings = map[string]bool{
 	"hardcoded_ip_port":                     true,
 	"systemd_no_comments_or_documentation":  true,
 	"sleep_and_background":                  true,
+	"Microsoft_Excel_with_Macrosheet":       true,
+	"PDF_with_Embedded_RTF_OLE_Newlines":    true,
+	"Powershell_Case":                       true,
 	"RDPassSpray_offensive_tool_keyword":    false,
 	"nmap_offensive_tool_keyword":           false,
 	"DynastyPersist_offensive_tool_keyword": false,

diff --git a/pkg/report/report.go b/pkg/report/report.go
@@ -145,6 +145,11 @@ func behaviorRisk(ns string, rule string, tags []string) int {
 	// default to critical
 	if thirdParty(ns) {
 		risk = 4
+
+		// third party rules that are a bit looser
+		if strings.Contains(ns, "InQuest-VT") {
+			risk = 3
+		}
 	}
 
 	if strings.Contains(ns, "keyword") || strings.Contains(rule, "keyword") {

diff --git a/samples/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff b/samples/Linux/2023.FreeDownloadManager/freedownloadmanager.sdiff
@@ -1,4 +1,5 @@
 *** changed: Linux/2023.FreeDownloadManager/freedownloadmanager_infected_postinst
++3P/InQuest-VT/base64/url
 +3P/threat_hunting/touch
 +data/embedded/base64/terms
 +data/embedded/base64/url

diff --git a/third_party/yara/InQuest-VT/Adobe_Type_1_Font.yar b/third_party/yara/InQuest-VT/Adobe_Type_1_Font.yar
@@ -0,0 +1,20 @@
+rule Adobe_Type_1_Font
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects an Adobe Type 1 Font. The Type 1 Font Format is a standardized font format for digital imaging applications."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "https://www.iso.org/standard/54796.html"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "64f2c43f3d01eae65125024797d5a40d2fdc9c825c7043f928814b85cd8201a2"
+
+	strings:
+	        $pdf = "%PDF-"
+	        $magic_classic = "%!FontType1-1."
+            $magic_next_generation1 = /obj\s*<<[^>]*\/Type\s*\/Font[^>]*\/Subtype\s*\/Type1/
+            $magic_next_generation2 = /obj\s*<<[^>]*\/Subtype\s*\/Type1[^>]*\/Type\s*\/Font/
+	condition:
+			$magic_classic in (0..1024) or ($pdf in (0..1024) and any of ($magic_next_generation*))
+}
diff --git a/third_party/yara/InQuest-VT/Adobe_XMP_Identifier.yar b/third_party/yara/InQuest-VT/Adobe_XMP_Identifier.yar
@@ -0,0 +1,18 @@
+rule Adobe_XMP_Identifier
+{
+    meta:
+        author         = "InQuest Labs"
+		description    = "This signature identifies Adobe Extensible Metadata Platform (XMP) identifiers embedded within files. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance. Generally, XMP data is stored in XML format, updated on save/copy, and embedded within the graphical asset. These identifiers can be used to track both malicious and benign graphics within common Microsoft and Adobe document lures."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "http://wwwimages.adobe.com/content/dam/acom/en/products/xmp/Pdfs/XMPAssetRelationships.pdf"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
+        labs_pivot     = "https://labs.inquest.net/dfi/search/ioc/xmpid/xmp.did%3AEDC9411A6A5F11E2838BB9184F90E845##eyJyZXN1bHRzIjpbIn4iLCJmaXJzdFNlZW4iLDEsIiIsW11dfQ=="
+        samples        = "1030710f6f18950f01b1a55d50a5169717e48567aa13a0a769f5451423280b4d"
+
+	strings:
+    $xmp_md5  = /xmp\.[dio]id[-: _][a-f0-9]{32}/  nocase ascii wide
+    $xmp_guid = /xmp\.[dio]id[-: _][a-f0-9]{36}/ nocase ascii wide
+	condition:
+			any of them
+}
diff --git a/third_party/yara/InQuest-VT/Apt29_DLL_May2022.yar b/third_party/yara/InQuest-VT/Apt29_DLL_May2022.yar
@@ -0,0 +1,28 @@
+import "pe"
+
+rule apt29_dll_may2022 :  SVR G0016 apt29 NOBELIUM UNC2452 Russia
+{
+	meta:
+        author           = "InQuest Labs"
+        description      = "This signature detects .DLL files associated with recent APT29 (Russia, NOBELIUM) activity"
+        created_date     = "2022-05-09"
+        updated_date     = "2022-05-09"
+        sample1          = "6fc54151607a82d5f4fae661ef0b7b0767d325f5935ed6139f8932bc27309202"
+        sample2          = "6618a8b55181b1309dc897d57f9c7264e0c07398615a46c2d901dd1aa6b9a6d6"
+        sample3          = "6618a8b55181b1309dc897d57f9c7264e0c07398615a46c2d901dd1aa6b9a6d6"
+        imphash          = "b4a3f218dbd33872d0fd88a2ff95be76"
+        sample_reference = "https://www.joesandbox.com/analysis/621068/0/html"
+        mitre_group      = "https://attack.mitre.org/groups/G0016/"
+	strings:
+            $a1 = ".mp3" ascii wide nocase
+            $a2 = "blank.pdf" ascii wide nocase
+            $a3 = "Rock" ascii wide nocase
+            $a4 = "vcruntime140.dll" ascii wide nocase
+
+            $b1 = "RcvAddQueuedResolution" ascii wide nocase
+            $b2 = "RcvResolution" ascii wide nocase
+            $b3 = "AdobeAcroSup" ascii wide nocase
+            $b4 = "AcroSup" ascii wide nocase
+	condition:
+		uint16(0) == 0x5a4d and ((filesize < 800KB) and all of ($a*) and any of ($b*))
+}
diff --git a/third_party/yara/InQuest-VT/Base64_Encoded_Powershell_Directives.yar b/third_party/yara/InQuest-VT/Base64_Encoded_Powershell_Directives.yar
@@ -0,0 +1,69 @@
+rule Base64_Encoded_Powershell_Directives
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects base64 encoded Powershell directives."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "https://inquest.net/blog/2019/07/19/base64-encoded-powershell-pivots"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/3b8235b67c4b67ea782b49388c5166786fb9d7a5b5096150b1c10e53f1d01738"
+        labs_pivot     = "https://labs.inquest.net/dfi/search/alert/Base64%20Encoded%20Powershell%20Directives"
+        samples        = "https://github.com/InQuest/malware-samples/tree/master/2019-07-Base64-Encoded-Powershell-Directives"
+
+    strings:
+        // NOTE: these regular expressions were generated via https://labs.inquest.net/tools/yara/b64-regexp-generator
+
+        // Copy-Item
+        $enc01 = /(Q\x32\x39weS\x31JdGVt[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Db\x33B\x35LUl\x30ZW[\x30-\x33]|[\x2b\x2f-\x39A-Za-z][\x30EUk]NvcHktSXRlb[Q-Za-f])/
+
+        // ForEach-Object
+        $enc02 = /(Rm\x39yRWFjaC\x31PYmplY\x33[Q-T]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Gb\x33JFYWNoLU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x30EUk]ZvckVhY\x32gtT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z])/
+
+        // Get-ChildItem
+        $enc03 = /(R\x32V\x30LUNoaWxkSXRlb[Q-Za-f]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]HZXQtQ\x32hpbGRJdGVt[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]dldC\x31DaGlsZEl\x30ZW[\x30-\x33])/
+
+        // Get-ItemPropertyValue
+        $enc04 = /(R\x32V\x30LUl\x30ZW\x31Qcm\x39wZXJ\x30eVZhbHVl[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]HZXQtSXRlbVByb\x33BlcnR\x35VmFsdW[U-X]|[\x2b\x2f-\x39A-Za-z][\x30EUk]dldC\x31JdGVtUHJvcGVydHlWYWx\x31Z[Q-Za-f])/
+
+        // Get-Random
+        $enc05 = /(R\x32V\x30LVJhbmRvb[Q-Za-f]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]HZXQtUmFuZG\x39t[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]dldC\x31SYW\x35kb\x32[\x30-\x33])/
+
+        // Join-Path
+        $enc06 = /(Sm\x39pbi\x31QYXRo[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Kb\x32luLVBhdG[g-j]|[\x2b\x2f-\x39A-Za-z][\x30EUk]pvaW\x34tUGF\x30a[A-P])/
+
+        // Move-Item
+        $enc07 = /(TW\x39\x32ZS\x31JdGVt[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Nb\x33ZlLUl\x30ZW[\x30-\x33]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x31vdmUtSXRlb[Q-Za-f])/
+
+        // New-Item
+        $enc08 = /(TmV\x33LUl\x30ZW[\x30-\x33]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]OZXctSXRlb[Q-Za-f]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x35ldy\x31JdGVt[\x2b\x2f-\x39A-Za-z])/
+
+        // New-Object
+        $enc09 = /(TmV\x33LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]OZXctT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x35ldy\x31PYmplY\x33[Q-T])/
+
+        // Out-String
+        $enc10 = /(T\x33V\x30LVN\x30cmluZ[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]PdXQtU\x33RyaW\x35n[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30EUk]\x39\x31dC\x31TdHJpbm[c-f])/
+
+        // Remove-Item
+        $enc11 = /(UmVtb\x33ZlLUl\x30ZW[\x30-\x33]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]SZW\x31vdmUtSXRlb[Q-Za-f]|[\x2b\x2f-\x39A-Za-z][\x31FVl]JlbW\x39\x32ZS\x31JdGVt[\x2b\x2f-\x39A-Za-z])/
+
+        // Select-Object
+        $enc12 = /(U\x32VsZWN\x30LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]TZWxlY\x33QtT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x31FVl]NlbGVjdC\x31PYmplY\x33[Q-T])/
+
+        // Sort-Object
+        $enc13 = /(U\x32\x39ydC\x31PYmplY\x33[Q-T]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Tb\x33J\x30LU\x39iamVjd[A-P]|[\x2b\x2f-\x39A-Za-z][\x31FVl]NvcnQtT\x32JqZWN\x30[\x2b\x2f-\x39A-Za-z])/
+
+        // Split-Path
+        $enc14 = /(U\x33BsaXQtUGF\x30a[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]TcGxpdC\x31QYXRo[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x31FVl]NwbGl\x30LVBhdG[g-j])/
+
+        // Test-Path
+        $enc15 = /(VGVzdC\x31QYXRo[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]UZXN\x30LVBhdG[g-j]|[\x2b\x2f-\x39A-Za-z][\x31FVl]Rlc\x33QtUGF\x30a[A-P])/
+
+        // Write-Host
+        $enc16 = /(V\x33JpdGUtSG\x39zd[A-P]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]Xcml\x30ZS\x31Ib\x33N\x30[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x31FVl]dyaXRlLUhvc\x33[Q-T])/
+
+        // [Convert]::FromBase64String
+        $enc17 = /([\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx][\x30\x32Dlu-vy][O]jpGcm\x39tQmFzZTY\x30U\x33RyaW\x35n[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x30\x32-\x33EG-HUW-Xkm-n][\x34\x38IMQUY]\x36OkZyb\x32\x31CYXNlNjRTdHJpbm[c-f]|[QZb-d][DTjz]o\x36RnJvbUJhc\x32U\x32NFN\x30cmluZ[\x2b\x2f-\x39w-z])/
+
+    condition:
+            any of ($enc*)
+}
diff --git a/third_party/yara/InQuest-VT/Base64_Encoded_URL.yar b/third_party/yara/InQuest-VT/Base64_Encoded_URL.yar
@@ -0,0 +1,20 @@
+rule Base64_Encoded_URL
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "InQuest Labs R&D"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/114366bb4ef0f3414fb1309038bc645a7ab2ba006ef7dc2abffc541fcc0bb687"
+        labs_pivot     = "https://labs.inquest.net/dfi/search/alert/Base64%20Encoded%20URL"
+        samples        = "114366bb4ef0f3414fb1309038bc645a7ab2ba006ef7dc2abffc541fcc0bb687"
+
+	strings:
+			$httpn  = /(aHR\x30cDovL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]odHRwOi\x38v[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x32GWm]h\x30dHA\x36Ly[\x2b\x2f\x38-\x39])/
+	$httpw  = /(aAB\x30AHQAcAA\x36AC\x38AL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]oAHQAdABwADoALwAv[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x32GWm]gAdAB\x30AHAAOgAvAC[\x2b\x2f\x38-\x39])/
+	$httpsn = /(aHR\x30cHM\x36Ly[\x2b\x2f\x38-\x39]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]odHRwczovL[\x2b\x2f-\x39w-z]|[\x2b\x2f-\x39A-Za-z][\x32GWm]h\x30dHBzOi\x38v[\x2b\x2f-\x39A-Za-z])/
+    $httpsw = /(aAB\x30AHQAcABzADoALwAv[\x2b\x2f-\x39A-Za-z]|[\x2b\x2f-\x39A-Za-z][\x2b\x2f-\x39A-Za-z][\x31\x35\x39BFJNRVZdhlptx]oAHQAdABwAHMAOgAvAC[\x2b\x2f\x38-\x39]|[\x2b\x2f-\x39A-Za-z][\x32GWm]gAdAB\x30AHAAcwA\x36AC\x38AL[\x2b\x2f-\x39w-z])/
+	condition:
+			any of them and not (uint16be(0x0) == 0x4d5a)
+}
diff --git a/third_party/yara/InQuest-VT/CVE_2014_1761.yar b/third_party/yara/InQuest-VT/CVE_2014_1761.yar
@@ -0,0 +1,22 @@
+rule CVE_2014_1761
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects a specially crafted RTF file that is designed to trigger a memory corruption vulnerability in the RTF parsing code that would allow an attacker to execute arbitrary code. The successful exploitation of this vulnerability gains the same user rights as the current user."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "http://technet.microsoft.com/en-us/security/advisory/2953095"
+        labs_reference = "N/A"
+        labs_pivot     = "https://labs.inquest.net/dfi/sha256/db0037a9753c364022af4bb7d578996b78ccc3c28b01c6632ccd95a69d49d67c"
+        samples        = "db0037a9753c364022af4bb7d578996b78ccc3c28b01c6632ccd95a69d49d67c"
+
+	strings:
+			
+		$magic = { 7B 5C 72 74 }
+		$author = { 5C 61 75 74 68 6F 72 20 69 73 6D 61 69 6C 20 2D 20 5B 32 30 31 30 5D } /* \author ismail - [2010] */
+		$operator = { 5C 6F 70 65 72 61 74 6F 72 20 69 73 6D 61 69 6C 20 2D 20 5B 32 30 31 30 5D } /* \operator ismail - [2010] */
+	condition:
+			
+		$magic at 0 and $author or $operator in (0..1024)
+
+}
diff --git a/third_party/yara/InQuest-VT/Controlword_Whitespace_RTF.yar b/third_party/yara/InQuest-VT/Controlword_Whitespace_RTF.yar
@@ -0,0 +1,22 @@
+rule Controlword_Whitespace_RTF
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This rule detects multiple instances of whitespace characters in the OBJDATA control word in an RTF document."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "InQuest Internal Research"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "c4754d2d7e02c50de6e0551d6b0567ec3c48d6ae45d9e62ad62d544f66cf131c"
+
+    strings:
+		$rtf_magic = "{\\rt"  // note that {\rtf1 is not required
+
+		$re1 = /\x7b[^\x7d]*\\objdata[ \t\r\n]+[a-f0-9\x2e\x2d\r\n\x5c]{0,100}[ \t\r\n]{9,}[a-f0-9\x2e\x2d\r\n\x5c]{0,100}[ \t\r\n]{6,}[a-f0-9\x2e\x2d\r\n\x5c]{0,100}[ \t\r\n]{6}/ nocase wide ascii
+		//$re1 is looking within \objdata controll word for at least two instances of whitespace characters (9 or more and 6 or more) in between the contents
+	condition:
+			
+		$rtf_magic in (0..30) and all of ($re*)
+
+}
diff --git a/third_party/yara/InQuest-VT/EPPlus_OOXML_Document.yar b/third_party/yara/InQuest-VT/EPPlus_OOXML_Document.yar
@@ -0,0 +1,24 @@
+rule EPPlus_OOXML_Document
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects Documents created with EPPlus software that has been observed being abused by threat actors to deliver malicious payloads.  These documents are being built without using the Microsoft Office suite of tools and have active VBA code within the document, which makes them interesting.  These files are not malicious by nature but rather another tool abused for nefarious purposes."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/f4bd263fa5a0ab82ea20fe6789f2e514a4644dc24fcc4c22af05266d0574c675"
+        labs_pivot     = "N/A"
+        samples        = "f4bd263fa5a0ab82ea20fe6789f2e514a4644dc24fcc4c22af05266d0574c675"
+
+	strings:
+		$opc = "[Content_Types].xml"
+        $ooxml = "xl/workbook.xml"
+        $vba = "xl/vbaProject.bin"
+        $meta1 = "docProps/core.xml"
+        $meta2 = "docProps/app.xml"
+        $timestamp = {50 4B 03 04 ?? ?? ?? ?? ?? ?? 00 00 21 00}
+	condition:
+		uint32be(0) == 0x504B0304
+        and ($opc and $ooxml and $vba)
+        and not (any of ($meta*) and $timestamp)
+}
diff --git a/third_party/yara/InQuest-VT/Encrypted_Office_Document.yar b/third_party/yara/InQuest-VT/Encrypted_Office_Document.yar
@@ -0,0 +1,19 @@
+rule Encrypted_Office_Document
+{
+    meta:
+        author         = "InQuest Labs"
+		description    = "This signature detects an office document that has been encrypted or password protected. Attackers use the password feature to encrypt files, making it difficult for security products to detect them as malware."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "https://www.symantec.com/connect/blogs/malicious-password-protected-documents-used-targeted-attacks"
+        labs_reference = "https://labs.inquest.net/dfi/sha256/8a89a5c5dc79d4f8b8dd5007746ae36a3b005d84123b6bbc7c38637f43705023"
+        labs_pivot     = "N/A"
+        samples        = "8a89a5c5dc79d4f8b8dd5007746ae36a3b005d84123b6bbc7c38637f43705023"
+
+	strings:
+	    $a = {04 00 00 00 00 00 00 00 01 68 00 00 04 80 00 00 (80|28) 00 00 00 01 00 00 00 ?? ?? ?? ?? 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 }
+        $b = "EncryptedPackage" wide
+        $magic = { D0 CF 11 E0 A1 B1 1A E1 00 00 00 }
+	condition:
+	    $a or ($magic in (0..1024) and $b)
+}
diff --git a/third_party/yara/InQuest-VT/Hex_Encoded_Link_in_RTF.yar b/third_party/yara/InQuest-VT/Hex_Encoded_Link_in_RTF.yar
@@ -0,0 +1,22 @@
+rule Hex_Encoded_Link_in_RTF
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects Office documents with a link to download an executable which has been encoded in ASCII hexadecimal form. Malware authors have used this technique to obfuscate malicious payloads."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF/6703"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "N/A"
+
+	strings:
+			
+        $m = {7b 5c 72 74 66 31} // RTF
+        $a1 = "687474703a2f2f"
+        $a2 = "2e657865"
+	condition:
+			
+        $m and all of ($a*)
+
+}
diff --git a/third_party/yara/InQuest-VT/JS_PDF_Data_Submission.yar b/third_party/yara/InQuest-VT/JS_PDF_Data_Submission.yar
@@ -0,0 +1,24 @@
+rule JS_PDF_Data_Submission
+{
+    meta:
+        author         = "InQuest Labs"
+        description    = "This signature detects pdf files with http data submission forms. Severity will be 0 unless paired with Single Page PDF rule."
+        created_date   = "2022-03-15"
+        updated_date   = "2022-03-15"
+        blog_reference = "InQuest Labs Empirical Observations"
+        labs_reference = "N/A"
+        labs_pivot     = "N/A"
+        samples        = "a0adbe66e11bdeaf880b81b41cd63964084084a413069389364c98da0c4d2a13"
+
+	strings:
+			
+        $pdf_header = "%PDF-"
+        $js = /(\/JS|\/JavaScript)/ nocase
+        $a1 = /app\s*\.\s*doc\s*\.\s*submitForm\s*\(\s*['"]http/ nocase
+        $inq_tail = "INQUEST-PP=pdfparser"
+	condition:		
+        ($pdf_header in (0..1024) or $inq_tail in (filesize-30..filesize))
+            and
+        $js and $a1
+
+}
diff --git a/third_party/yara/InQuest-VT/LICENSE b/third_party/yara/InQuest-VT/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 InQuest
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.