Attachment: DocX embedded Binary
This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.
Sublime rule (View on GitHub)
1name: "Attachment: DocX embedded Binary"
2description: "This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload."
3references:
4 - "https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload"
5type: "rule"
6authors:
7 - linkedin: "linkedin.com/in/mehmet-yener-güler-28487621b"
8severity: "high"
9source: |
10 type.inbound
11 and any(attachments,
12 (
13 .file_extension in~ $file_extensions_macros
14 or .file_extension in~ $file_extensions_common_archives
15 or .content_type == "application/zip"
16 or (
17 .file_extension is null
18 and .file_type == "unknown"
19 and .content_type == "application/octet-stream"
20 and .size < 100000000
21 )
22 )
23 and any(file.explode(.),
24 .file_extension in~ (
25 "doc",
26 "docm",
27 "docx",
28 "dot",
29 "dotm",
30 "xls",
31 "xlsx",
32 "xlsm",
33 "xlm",
34 "xlsb",
35 "xlt",
36 "xltm",
37 "ppt",
38 "pptx",
39 "pptm",
40 "ppsm"
41 )
42 and (
43 any(.flavors.yara, . == "base64_pe")
44 // The malicious file to be downloaded and run with the data URI may not always be portable executable
45 or any(.scan.strings.strings,
46 strings.ilike(., "*.createObjectURL(*)*")
47 )
48 or any(.scan.strings.strings,
49 strings.ilike(., "*.msSaveOrOpenBlob(*)*")
50 )
51 )
52 )
53 )
54tags:
55 - "Attack surface reduction"
56attack_types:
57 - "Malware/Ransomware"
58tactics_and_techniques:
59 - "Evasion"
60detection_methods:
61 - "Archive analysis"
62 - "Content analysis"
63 - "YARA"
64id: "feff0241-0990-5a22-ba90-a53d4021797c"