expl_outlook_cve_2023_23397.yar syntax error

[celevra]

hi,

i'm new to yara rules, but here i get an syntax error:

 yara expl_outlook_cve_2023_23397.yar /tmp/Test\ Meeting.msg
expl_outlook_cve_2023_23397.yar(65): warning: $u2 is slowing down scanning
expl_outlook_cve_2023_23397.yar(96): error: syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_

also, is there a way to get it compatible with clamd?

clamscan /tmp/Test\ Meeting.msg
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 30 undefined identifier "uint32be"
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 72 undefined identifier "uint32be"
LibClamAV Error: yyerror(): /var/lib/clamav/expl_outlook_cve_2023_23397.yar line 96 syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_
LibClamAV Warning: cli_loadyara: failed to parse or load 3 yara rules from file /var/lib/clamav/expl_outlook_cve_2023_23397.yar, successfully loaded 0 rules.
LibClamAV Warning: cli_loadyara: empty database file
/tmp/Test Meeting.msg: OK

regards

[celevra]

updating to newest yara removed the syntax error, but it didn't recognized my bad .msg Test Meeting.zip

[ruppde]

are you sure that .msg triggers the exploit?

[celevra]

I've created the msg with this poc: https://github.com/api0cradle/CVE-2023-23397-POC-Powershell