alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MWI Maldoc Load Payload"; flow:established,to_server; http.uri; content:"&act="; fast_pattern; pcre:"/\/(?:im(?:age|g)|pict)\.(?:jpg|php)\?id=\d+&act=[12]$/"; http.host; content:!".money-media.com"; endswith; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; reference:url,www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2022007; rev:4; metadata:created_at 2015_10_28, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_05;)