Attachment: Archive with embedded CHM file

Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.

According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.

Sublime rule (View on GitHub)

 1name: "Attachment: Archive with embedded CHM file"
 2description: |
 3  Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.
 4
 5  According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine
 6  using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file.
 7  The activity is associated with UNC1151, according to CERT-UA.  
 8references:
 9  - "https://cert.gov.ua/article/37626"
10type: "rule"
11severity: "medium"
12source: |
13  type.inbound
14  and any(attachments,
15          .file_extension in~ $file_extensions_common_archives
16          and any(file.explode(.), .file_extension =~ "chm")
17  )  
18attack_types:
19  - "Malware/Ransomware"
20tactics_and_techniques:
21  - "Evasion"
22detection_methods:
23  - "Archive analysis"
24  - "File analysis"
25id: "5280e94d-592b-5d80-b548-b0e2ad4c9eae"
to-top