/*
This Yara ruleset is under the GNU-GPLv2 license 
(http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or 
organization, as long as you use it under this license.
*/

rule corvax_email_pdf_zip_Rakhunik_do_oplaty : mail {
	meta:
		author = "@corvax"
		description = "Detects a possible .eml with infected .pdf file inside .zip archive"
		ref1 = "https://mta.org.ua/clamav/bases/corvax_email_pdf_zip_Rakhunik_do_oplaty.yar"
	strings:
		$subject = " =?UTF-8?B?0JHRg9GFLiDRg9GH0LXRgi4g0KDQsNGFLiDQtNC+INC+0L/Qu9Cw0YLRiw==?="
		$from = "From: =?UTF-8?B?0LLRltC00LTRltC7INCx0YPRhdCz0LDQu9GC0LXRgNGW0Zc=?="
		$filename_part1 = "filename=\"=?UTF-8?B?0KDQsNGF0YPQvdC+0Lpf0LTQvl/QvtC/0LvQsNGC0LhfTUJfMjMwMDkyMDIz?="
		$filename_part2 = " =?UTF-8?B?X9CyadC0XzIwXzExXzIwMjPRgF/QkNC60YJf0LfQsmnRgNC60Lguemlw?=\""
	condition:
		all of them
}