plusvic
commented
6 months ago This is a VirusTotal-specific issue not directly related to YARA itself, but let me address it here anyways. That's the expected behaviour, because the Base64_Encoded_URL rule doesn't take into account if files are signed or not. The rule is designed to match files that have some base64 encoded URL, even if the file is signed.
When a file matches this rule it doesn't mean that file is malicious, it only means that the file contains a base64-encoded URL. This is an uncommon trait in non-malware files, but it may happen. The rule itself has a comment that says:
This signature fires on the presence of Base64 encoded URI prefixes (http:// and https://) across any file. The simple presence of such strings is not inherently an indicator of malicious content, but is worth further investigation.
The rule Base64_Encoded_URL does hit signed files, from time to time even executable signed files.
https://www.virustotal.com/gui/file/e03d7bb9dce12bb85d77c0d7c90a08582f7d4d8c8546144fbca168a3650de483 https://www.virustotal.com/gui/file/f3d2f47b60eb39f80987519e62ee046deb7443ed10a944ee5f79435d6ebf70b5 https://www.virustotal.com/gui/file/b6a60ba8fd2c04934364877b0ff45a5d25f9c079d2b4235c5941c4a9d1175bde https://www.virustotal.com/gui/file/d3f5bd75f3d86a48a8cc5f3b9705c0a17ccbd38529bec457af017db32682a445 https://www.virustotal.com/gui/file/213fe9ee81fdefc27c648c8874828ed33a5df5a18ca5b24851a3025bf1273f37 https://www.virustotal.com/gui/file/3ff20522c6dc25cb95468ca2f0dbbac3ba4a9046f2dd46db5283c6753ea4efb2 https://www.virustotal.com/gui/file/860641fa13c596a6e9c92f9601f63ce7ed7376bb38213c548ddecda20c3c2ff4