alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JS/Nemucod.M.gen requesting PDF payload 2015-10-07"; flow:to_server,established; flowbits:set,ET.nemucod.pdfrequest; http.method; content:"GET"; http.uri; content:".php?"; nocase; content:"key="; nocase; distance:0; fast_pattern; content:"pdf="; nocase; distance:0; pcre:"/\/get(?:_new)?\.php\?[a-zA-Z]{4,}=0\.[0-9]{10,}&key=[a-zA-Z0-9]{4,}&pdf=[a-zA-Z]{4,}$/"; http.header_names; content:!"Referer|0d 0a|"; nocase; reference:url,www.certego.net/en/news/italian-spam-campaigns-using-js-nemucod-downloader/; reference:md5,0bc86ab7ead67e264531ccb16c3c529a; classtype:trojan-activity; sid:2021953; rev:4; metadata:created_at 2015_10_15, malware_family JS_Nemucod_M_gen, performance_impact Significant, signature_severity Major, updated_at 2024_04_29;)