Add PE overlay anomaly YARA rules

Add two YARA rules to detect suspicious overlays in PE files: Anomaly__LargeOverlay (flags overlays larger than 50% of the file, indicating possible embedded payloads) and Anomaly__OverlayPresent (flags overlays >1KB with entropy >7.0, indicating compressed/encrypted data). These heuristics help surface appended data that may contain hidden or packed content for further analysis.
2026-06-24 01:54:08 +00:00 · 2026-04-10 16:40:21 +03:00 · 2026-04-10 16:40:21 +03:00 · ef54ac77bf
commit ef54ac77bf
parent df1038c6c2
1 changed files with 24 additions and 0 deletions
--- a/yara_rules/DiE_EnhancedHeuristics_by_DosX.yar
+++ b/yara_rules/DiE_EnhancedHeuristics_by_DosX.yar
@ -351,3 +351,27 @@ rule Anomaly__SuspiciousMinimalImports {
        ($loadlib or $loadlibW) and
        $getproc
 }
+
+// ============================================================================
+//  Overlay / data appending anomalies
+// ============================================================================
+
+rule Anomaly__LargeOverlay {
+    // Overlay is data appended after the last section's raw data.
+    // A large overlay (>50% of file) often means embedded payloads.
+    condition:
+        IsPE and
+        pe.number_of_sections > 0 and
+        pe.overlay.offset > 0 and
+        pe.overlay.size > filesize / 2
+}
+
+rule Anomaly__OverlayPresent {
+    // Overlay presence alone isn't an anomaly, but it's of interest when
+    // combined with high entropy (embedded encrypted/compressed data).
+    condition:
+        IsPE and
+        pe.overlay.offset > 0 and
+        pe.overlay.size > 1024 and
+        math.entropy(pe.overlay.offset, pe.overlay.size) > 7.0
+}