rule evil_pdf_rule { meta: author = "Coleman Kane" revision = 12 description = "Detect evil.pdf sample from Week2 lecture" strings: $a = "\"Do not show this message again\"" nocase $r = /if exist.*template\.pdf/ $b = { 706c65617365207469636b207468652022446f206e6f74 } $pt1 = "start " nocase $pt2 = "cd " nocase $pt3 = "exist " nocase $pt4 = "cmd.exe" nocase condition: $a or $b or $r or 2 of ($pt*) }