Malicious RTF Detection

I was just looking at Yara rules for RTF and OLE objects and stumbled across this post by Nextron Systems detailing a simple but effective method for detecting potentially malicious RTF documents. In my last post I generated some Yara rules matching a specific, singular sample of malware. But of course such singular rules don't scale. The Yara rule by Nextron does though. And I think it's a good example to keep in mind while working on detection engineering. At risk of stating the obvious, it can be much more efficient to cast a broad net. Here, the author casts a condition to match the RTF signature, plus one other marker - either the DOS mode string, Kernel32.dll, a spoofed path, or any of the DOS magic numbers:

rule MAL_RTF_Embedded_OLE_PE {
   meta:
      description = "Detects a suspicious string often used in PE files in a hex encoded object stream"
      author = "Florian Roth"
      reference = "https://github.com/rxwx/CVE-2018-0802/blob/master/packager_exec_CVE-2018-0802.py"
      date = "2018-01-22"
   strings:
      /* Hex encoded strings */
      /* This program cannot be run in DOS mode */
      $a1 = "546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f6465" ascii
      /* KERNEL32.dll */
      $a2 = "4b45524e454c33322e646c6c" ascii
      /* C:fakepath */
      $a3 = "433a5c66616b65706174685c" ascii
      /* DOS Magic Header */
      $m3 = "4d5a40000100000006000000ffff"
      $m2 = "4d5a50000200000004000f00ffff"
      $m1 = "4d5a90000300000004000000ffff"
   condition:
      uint32be(0) == 0x7B5C7274 /* RTF */
      and 1 of them
}