search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
7.93k stars 1.42k forks source link

PE signatures and other details incorrectly parsed #2054

Closed kulinacs closed 3 months ago

kulinacs commented 3 months ago

Describe the bug

Yara is not correctly parsing PE metadata for MSHTA.EXE (e616c5ce71886652c13e2e1fa45a653b44d492b054f16b15a38418b8507f57c7), including not correctly identifying VersionInfo data and signatures.

To Reproduce

Run the following Yara rules against e616c5ce71886652c13e2e1fa45a653b44d492b054f16b15a38418b8507f57c7.

import "pe"

rule is_pe
{
    condition:
        pe.is_pe
        and pe.version_info["OriginalFileName"] == "MSHTA.EXE"
}
import "pe"

rule is_pe
{
    condition:
        pe.is_pe
        and pe.number_of_signatures > 0
}

Expected behavior

The rules to match

Screenshots

N/A

Please complete the following information:

(issue is also present in the version of Yara used by VirusTotal)

Additional context

N/A

kulinacs commented 3 months ago

Closing - the file isn't signed