diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-11-27 14:37:28 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2019-11-27 14:37:28 +0000 |
commit | dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892 (patch) | |
tree | ba2bcf462d3661c898194f0b916df4beb6337823 /lualib/lua_content | |
parent | 7f5617f2257fbe763a21d451fdc5e679f14836a0 (diff) | |
download | rspamd-dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892.tar.gz rspamd-dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892.zip |
[Minor] Lua_content: Add some more PDF stuff
Diffstat (limited to 'lualib/lua_content')
-rw-r--r-- | lualib/lua_content/pdf.lua | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua index 588117fc7..a531396db 100644 --- a/lualib/lua_content/pdf.lua +++ b/lualib/lua_content/pdf.lua @@ -32,14 +32,21 @@ local pdf_patterns = { }, javascript = { patterns = { - [[\s|>/JS]], - [[\s|>/JavaScript]], + [[/JS(?:[\s/><])]], + [[/JavaScript(?:[\s/><])]], + } + }, + openaction = { + patterns = { + [[/OpenAction(?:[\s/><])]], + [[/AA(?:[\s/><])]], } }, suspicious = { patterns = { [[netsh\s]], [[echo\s]], + [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation } } } @@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output) output.javascript = true end +processors.openaction = function(_, task, _, output) + lua_util.debugm(N, task, "pdf: found openaction tag") + output.openaction = true +end + processors.suspicious = function(_, task, _, output) lua_util.debugm(N, task, "pdf: found a suspicious pattern") output.suspicious = true |