Attachment: Archive with embedded CHM file
Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.
Sublime rule (View on GitHub)
1name: "Attachment: Archive with embedded CHM file"
2description: |
3 Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
4
5 According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine
6 using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file.
7 The activity is associated with UNC1151, according to CERT-UA.
8references:
9 - "https://cert.gov.ua/article/37626"
10type: "rule"
11severity: "medium"
12source: |
13 type.inbound
14 and any(attachments,
15 .file_extension in~ $file_extensions_common_archives
16 and any(file.explode(.), .file_extension =~ "chm")
17 )
18attack_types:
19 - "Malware/Ransomware"
20tactics_and_techniques:
21 - "Evasion"
22detection_methods:
23 - "Archive analysis"
24 - "File analysis"
25id: "5280e94d-592b-5d80-b548-b0e2ad4c9eae"