aboutsummaryrefslogtreecommitdiffstats
path: root/lualib/lua_content
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2019-11-27 14:37:28 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2019-11-27 14:37:28 +0000
commitdcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892 (patch)
treeba2bcf462d3661c898194f0b916df4beb6337823 /lualib/lua_content
parent7f5617f2257fbe763a21d451fdc5e679f14836a0 (diff)
downloadrspamd-dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892.tar.gz
rspamd-dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892.zip
[Minor] Lua_content: Add some more PDF stuff
Diffstat (limited to 'lualib/lua_content')
-rw-r--r--lualib/lua_content/pdf.lua16
1 files changed, 14 insertions, 2 deletions
diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua
index 588117fc7..a531396db 100644
--- a/lualib/lua_content/pdf.lua
+++ b/lualib/lua_content/pdf.lua
@@ -32,14 +32,21 @@ local pdf_patterns = {
},
javascript = {
patterns = {
- [[\s|>/JS]],
- [[\s|>/JavaScript]],
+ [[/JS(?:[\s/><])]],
+ [[/JavaScript(?:[\s/><])]],
+ }
+ },
+ openaction = {
+ patterns = {
+ [[/OpenAction(?:[\s/><])]],
+ [[/AA(?:[\s/><])]],
}
},
suspicious = {
patterns = {
[[netsh\s]],
[[echo\s]],
+ [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation
}
}
}
@@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output)
output.javascript = true
end
+processors.openaction = function(_, task, _, output)
+ lua_util.debugm(N, task, "pdf: found openaction tag")
+ output.openaction = true
+end
+
processors.suspicious = function(_, task, _, output)
lua_util.debugm(N, task, "pdf: found a suspicious pattern")
output.suspicious = true