[BUG] 7za.exe matches cab_file flavor

[ryanohoro]

Describe the bug

When analyzing 7za.exe with Strelka, the cab_file flavor is applied, leading to it being processed by ScanLibarchive erroneously.

c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf 7za.exe

{
  "depth": 0,
  "flavors": {
    "mime": [
      "application/x-dosexec"
    ],
    "yara": [
      "mz_file",
      "cab_file"
    ]
  },
  "name": "7za.exe",
  "scanners": [
    "ScanEntropy",
    "ScanFooter",
    "ScanHash",
    "ScanHeader",
    "ScanLibarchive",
    "ScanPe",
    "ScanTlsh",
    "ScanYara"
  ],
  "size": 587776,
  "tree": {
    "node": "3f188c3c-3bb9-4457-9ce3-298554b31cd4",
    "root": "3f188c3c-3bb9-4457-9ce3-298554b31cd4"
  }
}

Because cab_file checks for both a MSCF magic at the top, but also anywhere in a PE file, Windows-based compression utilities are likely to match. I expect that the second condition is an attempt to match self-extracting archives. ScanLibarchive can extract some self-extracting CAB files.

rule cab_file {
    meta:
        type = "archive"
    strings:
        $a = { 4D 53 43 46 00 00 00 00 }
    condition:
        $a at 0 or
        ( uint16(0) == 0x5A4D and $a )
}

Environment details

• Operating System: Ubuntu 22.04
• Architecture: x64

Steps to reproduce

1. Download a copy of 7za.exe
2. Upload to Strelka UI
3. Observe cab_file and ScanLibarchive in the output event.

Expected behavior

Sample file should match only mz_file/application/x-dosexec flavors.

Screenshots

Release

• Release: 0.23.03.14

Additional context

[phutelmyer]

Good catch @ryanohoro.

I wonder if we can import pe into the taste.yara file using the pe module and add in and not pe (and not pe.is_pe)?

Not entirely sure what the criteria are for pe matching is for that module, so it may not work.