Skip to content

[yara] cleanup split QR and add more #4382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keaton-sublime merged 3 commits into from
Apr 23, 2026
+217 −133
Merged

[yara] cleanup split QR and add more #4382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9ed1d47
remove split QR code yara rules from generic_pdf
zoomequipd Apr 22, 2026
d2eaf55
Create pdf_split_qr.yar
zoomequipd Apr 22, 2026
9dda024
add 410,450,490 qr code sizes
zoomequipd Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 0 additions & 133 deletions yara/generic_pdf.yar
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,139 +156,6 @@ rule SAI_Global_ISO9001_Logo_PDF_Fuzzy
)
}

rule Phishing_PDF_Split_QR_Code_Pair_330
{
meta:
author = "brandon murphy"
date = "2026-04-09"
updated = "2026-04-10"
description = "PDF containing two 165x330 JPEG images — a vertically split QR code pair"

strings:
$header = {25 50 44 46 2d 31 2e}

// --- PDF object layer ---
// Image XObject definitions for the QR halves.
// Both objects declare the same dimensions + JPEG filter.
$w = "/Width 165"
$h = "/Height 330"
$jpeg_filter = "/Filter /DCTDecode"
$xobj_image = "/Subtype /Image"

// --- JPEG layer ---
// SOF0 (baseline) marker encoding exactly 165x330:
// ff c0 = SOF0 marker
// 00 11 = segment length (17 bytes)
// 08 = 8-bit precision
// 01 4a = height 330
// 00 a5 = width 165
// 03 = 3 components (YCbCr)
$sof0 = {ff c0 00 11 08 01 4a 00 a5 03}

condition:
$header at 0 and

// Both are JPEG XObject images
$jpeg_filter and
$xobj_image and

// Exactly two QR-half image objects in the PDF
#sof0 == 2 and
#w == 2 and
#h == 2 and

// The two JPEG SOF0 markers appear within 100KB of each other
@sof0[2] - @sof0[1] < 102400
}

rule Phishing_PDF_Split_QR_Code_Pair_290
{
meta:
author = "brandon murphy"
date = "2026-04-10"
description = "PDF containing two 145x290 JPEG images — a vertically split QR code pair"

strings:
$header = {25 50 44 46 2d 31 2e}

// --- PDF object layer ---
// Image XObject definitions for the QR halves.
// Both objects declare the same dimensions + JPEG filter.
$w = "/Width 145"
$h = "/Height 290"
$jpeg_filter = "/Filter /DCTDecode"
$xobj_image = "/Subtype /Image"

// --- JPEG layer ---
// SOF0 (baseline) marker encoding exactly 145x290:
// ff c0 = SOF0 marker
// 00 11 = segment length (17 bytes)
// 08 = 8-bit precision
// 01 22 = height 290
// 00 91 = width 145
// 03 = 3 components (YCbCr)
$sof0 = {ff c0 00 11 08 01 22 00 91 03}

condition:
$header at 0 and

// Both are JPEG XObject images
$jpeg_filter and
$xobj_image and

// Exactly two QR-half image objects in the PDF
#sof0 == 2 and
#w == 2 and
#h == 2 and

// The two JPEG SOF0 markers appear within 100KB of each other
@sof0[2] - @sof0[1] < 102400
}

rule Phishing_PDF_Split_QR_Code_Pair_370
{
meta:
author = "brandon murphy"
date = "2026-04-10"
description = "PDF containing two 185x370 JPEG images — a vertically split QR code pair"

strings:
$header = {25 50 44 46 2d 31 2e}

// --- PDF object layer ---
// Image XObject definitions for the QR halves.
// Both objects declare the same dimensions + JPEG filter.
$w = "/Width 185"
$h = "/Height 370"
$jpeg_filter = "/Filter /DCTDecode"
$xobj_image = "/Subtype /Image"

// --- JPEG layer ---
// SOF0 (baseline) marker encoding exactly 185x370:
// ff c0 = SOF0 marker
// 00 11 = segment length (17 bytes)
// 08 = 8-bit precision
// 01 72 = height 370
// 00 b9 = width 185
// 03 = 3 components (YCbCr)
$sof0 = {ff c0 00 11 08 01 72 00 b9 03}

condition:
$header at 0 and

// Both are JPEG XObject images
$jpeg_filter and
$xobj_image and

// Exactly two QR-half image objects in the PDF
#sof0 == 2 and
#w == 2 and
#h == 2 and

// The two JPEG SOF0 markers appear within 100KB of each other
@sof0[2] - @sof0[1] < 102400
}

rule pdf_jsfck_ratio {
meta:
author = "kyle eaton"
Expand Down
Loading
Loading