YARA rules for CVE-2021-40444
2 rules · scoped to cve · back to CVE-2021-40444
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule EXPL_CVE_2021_40444_Document_Rels_XML {
meta:
description = "Detects indicators found in weaponized documents that exploit CVE-2021-40444"
author = "Jeremy Brown / @alteredbytes"
reference = "https://twitter.com/AlteredBytes/status/1435811407249952772"
date = "2021-09-10"
id = "812bb68e-71ea-5a9a-8d39-ab99fdaa6c58"
strings:
$b1 = "/relationships/oleObject" ascii
$b2 = "/relationships/attachedTemplate" ascii
$c1 = "Target=\"mhtml:http" nocase
$c2 = "!x-usc:http" nocase
$c3 = "TargetMode=\"External\"" nocase
condition:
uint32(0) == 0x6D783F3C
and filesize < 10KB
and 1 of ($b*)
and all of ($c*)
}
rule EXPL_MAL_MalDoc_OBFUSCT_MHTML_Sep21_1 {
meta:
description = "Detects suspicious office reference files including an obfuscated MHTML reference exploiting CVE-2021-40444"
author = "Florian Roth (Nextron Systems)"
reference = "https://twitter.com/decalage2/status/1438946225190014984?s=20"
date = "2021-09-18"
score = 90
hash = "84674acffba5101c8ac518019a9afe2a78a675ef3525a44dceddeed8a0092c69"
id = "781cfd61-d5ac-58e5-868f-dbd2a2df3500"
strings:
$h1 = "<?xml " ascii wide
$s1 = "109;html:html" ascii wide
condition:
filesize < 25KB and all of them
}