diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml
new file mode 100644
index 000000000..7d4aea955
--- /dev/null
+++ b/rules/proxy/proxy_ursnif_malware.yml
@@ -0,0 +1,48 @@
+title: Ursnif Malware Download URL Pattern
+id: a36ce77e-30db-4ea0-8795-644d7af5dfb4
+status: stable
+description: Detects download of Ursnif malware done by dropper documents.
+author: Thomas Patzke
+logsource:
+  category: proxy
+detection:
+  selection:
+    c-uri: '*/*.php?l=*.cab'
+    sc-status: 200
+  condition: selection
+fields:
+  - c-ip
+  - c-uri
+  - sc-bytes
+  - c-ua
+falsepositives:
+    - Unknown
+level: critical
+---
+title: Ursnif Malware C2 URL Pattern
+id: 932ac737-33ca-4afd-9869-0d48b391fcc9
+status: stable
+description: Detects Ursnif C2 traffic.
+references:
+  - https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
+author: Thomas Patzke
+logsource:
+  category: proxy
+detection:
+  b64encoding:
+    c-uri:
+      - "*_2f*"
+      - "*_2b*"
+  urlpatterns:
+    c-uri|all:
+      - "*.avi"
+      - "*/images/*"
+  condition: b64encoding and urlpatterns
+fields:
+  - c-ip
+  - c-uri
+  - sc-bytes
+  - c-ua
+falsepositives:
+  - Unknown
+level: critical