From 762249343b35e68e6e4f8f9f4503de369efc64f3 Mon Sep 17 00:00:00 2001
From: Update third-party rules
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Tue, 18 Feb 2025 00:21:31 +0000
Subject: [PATCH] Update third-party rules as of 2025-02-18

---
 third_party/yara/bartblaze/RELEASE            |  2 +-
 .../yara/bartblaze/generic/LNK_Ruleset.yar    | 35 +++++++++----------
 2 files changed, 18 insertions(+), 19 deletions(-)

diff --git a/third_party/yara/bartblaze/RELEASE b/third_party/yara/bartblaze/RELEASE
index 3c6b04e42..281661570 100644
--- a/third_party/yara/bartblaze/RELEASE
+++ b/third_party/yara/bartblaze/RELEASE
@@ -1 +1 @@
-4ee13c83b6e5f468d57b3894583233018cff92c6
+a486ea2f78d996ee3d30fe9c88704cd7801e412a
diff --git a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar
index bb2b1de07..92716c812 100644
--- a/third_party/yara/bartblaze/generic/LNK_Ruleset.yar
+++ b/third_party/yara/bartblaze/generic/LNK_Ruleset.yar
@@ -103,7 +103,7 @@ rule EXE_in_LNK
         version = "1.0"
         creation_date = "2020-01-01"
         first_imported = "2021-12-30"
-        last_modified = "2021-12-30"
+        last_modified = "2025-02-16"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
@@ -112,10 +112,6 @@ rule EXE_in_LNK
         category = "INFO"
 
     strings:
-        $ = ".exe" ascii wide nocase
-        $ = ".dll" ascii wide nocase
-        $ = ".scr" ascii wide nocase
-        $ = ".pif" ascii wide nocase
         $ = "This program" ascii wide nocase
         $ = "TVqQAA" ascii wide nocase
 
@@ -251,7 +247,7 @@ rule MSOffice_in_LNK
         version = "1.0"
         creation_date = "2020-01-01"
         first_imported = "2021-12-30"
-        last_modified = "2021-12-30"
+        last_modified = "2025-02-16"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
@@ -260,18 +256,21 @@ rule MSOffice_in_LNK
         category = "INFO"
 
     strings:
-        $ = "winword" ascii wide nocase
-        $ = "excel" ascii wide nocase
-        $ = "powerpnt" ascii wide nocase
+        $ = ".docm" ascii wide nocase
+        $ = ".dotm" ascii wide nocase
+        $ = ".potm" ascii wide nocase
+        $ = ".ppsm" ascii wide nocase
+        $ = ".pptm" ascii wide nocase
         $ = ".rtf" ascii wide nocase
-        $ = ".doc" ascii wide nocase
-        $ = ".dot" ascii wide nocase
-        $ = ".xls" ascii wide nocase
+        $ = ".sldm" ascii wide nocase
+        $ = ".slk" ascii wide nocase
+        $ = ".wll" ascii wide nocase
         $ = ".xla" ascii wide nocase
-        $ = ".csv" ascii wide nocase
-        $ = ".ppt" ascii wide nocase
-        $ = ".pps" ascii wide nocase
-        $ = ".xml" ascii wide nocase
+        $ = ".xlam" ascii wide nocase
+        $ = ".xls" ascii wide nocase
+        $ = ".xlsm" ascii wide nocase
+        $ = ".xll" ascii wide nocase
+        $ = ".xltm" ascii wide nocase
 
     condition:
         isLNK and any of them
@@ -356,7 +355,7 @@ rule Long_RelativePath_LNK
         version = "1.0"
         creation_date = "2020-01-01"
         first_imported = "2021-12-30"
-        last_modified = "2021-12-30"
+        last_modified = "2025-02-16"
         status = "RELEASED"
         sharing = "TLP:WHITE"
         source = "BARTBLAZE"
@@ -365,7 +364,7 @@ rule Long_RelativePath_LNK
         category = "INFO"
 
     strings:
-        $ = "..\\..\\..\\..\\" ascii wide nocase
+        $ = "..\\..\\..\\..\\..\\..\\" ascii wide nocase
 
     condition:
         isLNK and any of them