Pdf string detection with yara rule not working

Asked Jul 17 '22 at 20:04

Active Jul 17 '22 at 20:04

Viewed 267 times

Hi everyone I have a pdf file word1.pdf which include hello_1234 and some other text. I want to detect all pdf file having string hello-1234. But the yara rule doesn't detect pdf with hello wird but it works for txt file.

My yara rule is

Rule example1{
Strings:
    $Str1 = {25 50 44 46} // for pdf 
detection 
    $str2 = "hello-1234" // string in pdf 
    //$str2 = /hello-\d{4}/ // regex for string detection 

Condition:
    $str1 and $str2

}

Cmd command 

Yara64 filename.yara C:/directory of pdf files.

Output 
Dose not gives any output

asked Jul 17 '22 at 20:04

Abdur Rashid

So as you mentioned the string in first paragraph yes that true in hex editor it shows the same. But I Don't know what exact encoding scheme used in pdf. Next I want to convert " hello-1234 " String to that encoding scheme for detection . The second approach to decode pdf string and then use simple string match . – Abdur Rashid Jul 18 '22 at 15:23
Which decoding scheme you used for the above – Abdur Rashid Jul 18 '22 at 17:43

Pdf string detection with yara rule not working

0 Answers0