1
1
VIRUSNAME_PREFIX("SUBMIT.NotPDF")
2
2
VIRUSNAMES("InActive", "Submit")
4
/* Target type is 13, internal JSON properties */
4
/* Target type is 0, all relevant files */
7
/* Declares to run bytecode only for preclassification (affecting only preclass files) */
7
10
/* JSON API call will require FUNC_LEVEL_098_5 = 78 */
8
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_5)
11
DECLARE_SIGNATURE(sig1)
12
DECLARE_SIGNATURE(sig2)
16
/* search @offset 0 : '{ "Magic": "CLAMJSON' */
17
/* this can be readjusted for specific filetypes */
18
DEFINE_SIGNATURE(sig1, "0:7b20224d61676963223a2022434c414d4a534f4e")
19
/* search '"RootFileType": "CL_TYPE_PDF"' */
20
DEFINE_SIGNATURE(sig2, "22526f6f7446696c6554797065223a2022434c5f545950455f50444622")
23
bool logical_trigger(void)
25
return matches(Signatures.sig1) && !matches(Signatures.sig2);
11
/* PRECLASS_HOOK_DECLARE will require FUNC_LEVEL_098_7 = 80 */
12
FUNCTIONALITY_LEVEL_MIN(FUNC_LEVEL_098_7)
28
14
#define STR_MAXLEN 256
18
int32_t type, obj, strlen;
21
/* check is json is available, alerts on inactive (optional) */
22
if (!json_is_active()) {
26
/* acquire array of internal contained objects */
27
obj = json_get_object("FileType", 8, 0);
28
if (obj <= 0) return -1;
30
/* acquire and check type */
31
type = json_get_type(obj);
32
if (type == JSON_TYPE_STRING) {
33
/* acquire string length, note +1 is for the NULL terminator */
34
strlen = json_get_string_length(obj)+1;
35
/* prevent buffer overflow */
36
if (strlen > STR_MAXLEN)
38
/* acquire string data, note strlen includes NULL terminator */
39
if (json_get_string(str, strlen, obj)) {
40
/* debug print str (with '\n' and prepended message */
41
debug_print_str(str,strlen);
43
/* check the contained object's type */
44
if (!(strlen == 12) || !memcmp(str, "CL_TYPE_PDF", 12)) {