Update generic_pdf.yar (#3995)

Author: keaton-sublime

yara/generic_pdf.yar

@@ -64,3 +64,17 @@ rule view_document_pdf_characteristics
         and @image_h == @image_w + 12
 
 }
+
+rule pdf_suspicious_image_001
+{
+    meta:
+        author = "kyle eaton"
+        description = "PDF contains a suspicious 'confidential' notice image observed in phishing campaigns."
+    strings:
+        $header = {25 50 44 46 2d 31 2e}
+        $jpg_confidential_notice = {ffc00011080052026f03012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00eef59bdbdb148e5b78e078de58e2c48c4105dc2e78edc8aad2eb8f63a8cb6f7e836476f1cacd023305dcce0927d30abfad69dfd9a5f42913b32849639415f5460c07e62abdee9115e3de33c8ebf6a81606c6380a58e4}
+        $jpg_pinkish_lure = {ffc00011080182039a03012200021101031101ffc4001f0000010501010101010100000000000000000102030405060708090a0bffc400b5100002010303020403050504040000017d01020300041105122131410613516107227114328191a1082342b1c11552d1f02433627282090a161718191a25262728292a3435363738393a434445464748494a535455565758595a636465666768696a737475767778797a838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae1e2e3e4e5e6e7e8e9eaf1f2f3f4f5f6f7f8f9faffc4001f0100030101010101010101010000000000000102030405060708090a0bffc400b51100020102040403040705040400010277000102031104052131061241510761711322328108144291a1b1c109233352f0156272d10a162434e125f11718191a262728292a35363738393a434445464748494a535455565758595a636465666768696a737475767778797a82838485868788898a92939495969798999aa2a3a4a5a6a7a8a9aab2b3b4b5b6b7b8b9bac2c3c4c5c6c7c8c9cad2d3d4d5d6d7d8d9dae2e3e4e5e6e7e8e9eaf2f3f4f5f6f7f8f9faffda000c03010002110311003f00e7e8 [ 344 ] 7a00326b7347f0d4f7b17daef241696639323f048f6abb2ebfa668ea60d0ed11e41c1b990673f4a2e62eaebcb057653b2f096a7708249c25a45fde98e0fe5564e95e19b0e2f7557b871d5211c7e95857da9df6a0}
+    condition:
+        $header at 0
+        and any of ($jpg*)
+}