alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Obfuscated LordEK Landing M1"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<html>|0d 0a|<head>|0d 0a|<|2f|head>|0d 0a|<body>|0d 0a 20 20 20 20|<script>|0d 0a|var|20|"; depth:60; fast_pattern; pcre:"/^(?P<vars>[a-z0-9]{1,20})\s*=\s*new\s*Array\x3b\r\n(?:(?P=vars)\[\d{1,3}\]\s*=\s*\d{4,12}\x3b\r\n){5,40}/Ri"; content:"String.fromCharCode|28|"; nocase; content:"document.write|28|"; nocase; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:exploit-kit; sid:2027787; rev:3; metadata:created_at 2019_08_02, deployment Perimeter, malware_family LordEK, performance_impact Low, confidence High, signature_severity Major, tag Exploit_Kit, updated_at 2020_08_31, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)