diff --git a/malicious_document.yar b/malicious_document.yar
index 92a443d5..d7f0023c 100644
--- a/malicious_document.yar
+++ b/malicious_document.yar
@@ -155,3 +155,18 @@ rule maldoc_suspicious_strings
     condition:
         any of them
 }
+
+rule mwi_document : exploitdoc
+{
+    meta:
+        description = "MWI generated document"
+        author = "@Ydklijnsma"
+        source = "http://blog.0x3a.com/post/117760824504/analysis-of-a-microsoft-word-intruder-sample"
+    strings:
+        $field_creation_tag = "{\\field{\\*\\fldinst { INCLUDEPICTURE"
+        $mwistat_url = "image.php?id="
+        $field_closing_tag = "\\\\* MERGEFORMAT \\\\d}}{\\fldrslt}}"
+ 
+    condition:
+        all of them
+}