From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Wed, 27 Nov 2019 14:37:28 +0000 (+0000)
Subject: [Minor] Lua_content: Add some more PDF stuff
X-Git-Tag: 2.3~288
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=dcb3a9cfac9d0c9f1024c2ee90cd12ed1583e892;p=thirdparty%2Frspamd.git

[Minor] Lua_content: Add some more PDF stuff
---

diff --git a/lualib/lua_content/pdf.lua b/lualib/lua_content/pdf.lua
index 588117fc72..a531396dbd 100644
--- a/lualib/lua_content/pdf.lua
+++ b/lualib/lua_content/pdf.lua
@@ -32,14 +32,21 @@ local pdf_patterns = {
   },
   javascript = {
     patterns = {
-      [[\s|>/JS]],
-      [[\s|>/JavaScript]],
+      [[/JS(?:[\s/><])]],
+      [[/JavaScript(?:[\s/><])]],
+    }
+  },
+  openaction = {
+    patterns = {
+      [[/OpenAction(?:[\s/><])]],
+      [[/AA(?:[\s/><])]],
     }
   },
   suspicious = {
     patterns = {
       [[netsh\s]],
       [[echo\s]],
+      [[/[A-Za-z]*#\d\d]], -- Hex encode obfuscation
     }
   }
 }
@@ -145,6 +152,11 @@ processors.javascript = function(_, task, _, output)
   output.javascript = true
 end
 
+processors.openaction = function(_, task, _, output)
+  lua_util.debugm(N, task, "pdf: found openaction tag")
+  output.openaction = true
+end
+
 processors.suspicious = function(_, task, _, output)
   lua_util.debugm(N, task, "pdf: found a suspicious pattern")
   output.suspicious = true