Attachment: DocX embedded Binary

calendar Mar 26, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload.

Sublime rule (View on GitHub)

 1name: "Attachment: DocX embedded Binary"
 2description: "This rule is designed to detect sophisticated phishing attacks that deliver binary payloads through MS office open XML files. It identifies malicious documents containing embedded scripts or objects, either encoded in base64 or using specific JavaScript functions like createObjectURL or msSaveOrOpenBlob, which are indicative of attempts to download and execute a binary payload."
 3references:
 4  - "https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-replacing-embedded-video-with-bogus-payload"
 5type: "rule"
 6authors:
 7  - linkedin: "linkedin.com/in/mehmet-yener-güler-28487621b"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          (
13            .file_extension in~ $file_extensions_macros
14            or .file_extension in~ $file_extensions_common_archives
15            or .content_type == "application/zip"
16            or (
17              .file_extension is null
18              and .file_type == "unknown"
19              and .content_type == "application/octet-stream"
20              and .size < 100000000
21            )
22          )
23          and any(file.explode(.),
24                  .file_extension in~ (
25                    "doc",
26                    "docm",
27                    "docx",
28                    "dot",
29                    "dotm",
30                    "xls",
31                    "xlsx",
32                    "xlsm",
33                    "xlm",
34                    "xlsb",
35                    "xlt",
36                    "xltm",
37                    "ppt",
38                    "pptx",
39                    "pptm",
40                    "ppsm"
41                  )
42                  and (
43                    any(.flavors.yara, . == "base64_pe")
44                    // The malicious file to be downloaded and run with the data URI may not always be portable executable
45                    or any(.scan.strings.strings,
46                           strings.ilike(., "*.createObjectURL(*)*")
47                    )
48                    or any(.scan.strings.strings,
49                           strings.ilike(., "*.msSaveOrOpenBlob(*)*")
50                    )
51                  )
52          )
53  )  
54tags:
55  - "Attack surface reduction"
56attack_types:
57  - "Malware/Ransomware"
58tactics_and_techniques:
59  - "Evasion"
60detection_methods:
61  - "Archive analysis"
62  - "Content analysis"
63  - "YARA"
64id: "feff0241-0990-5a22-ba90-a53d4021797c"

Related rules

to-top