alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Sharp Panda APT RTF Retrieval (Response)"; flow:established,to_client; flowbits:isset,ET.sharppanda.rtf; http.stat_code; content:"200"; http.server; content:"Apache-Coyote"; startswith; file.data; content:"|7b 5c 72 74 66 31 5c 61 6e 73 69 5c 61 6e 73 69 63 70 67 31 32 35 32 5c 75 63 30 5c 73 74 73 68 66 64 62 63 68 30 5c|"; fast_pattern; reference:url,twitter.com/StopMalvertisin/status/1663461621120000010; reference:md5,ea889308acb4249af92807cc7d70f084; classtype:trojan-activity; sid:2046147; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_07, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_08; target:dest_ip;)