Attachment: Emotet heavily padded doc in zip file

 1name: "Attachment: Emotet heavily padded doc in zip file"
 2description: |
 3  Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. 
 4  Contents may include Red Dawn templates exceeding 500MB.  
 5references:
 6  - "https://twitter.com/Cryptolaemus1/status/1633099154623803394"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          .file_extension == "zip"
13          and any(file.explode(.),
14                  .depth == 0
15                  and .size < 1000000
16                  and not .depth > 0
17                  and strings.ends_with(.scan.exiftool.zip_file_name, ".doc")
18                  and .scan.exiftool.zip_uncompressed_size > 500000000
19          )
20  )
21  and (
22    profile.by_sender().prevalence in ("new", "outlier")
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_false_positives
26    )
27  )  
28tags:
29  - "Malfam: Emotet"
30attack_types:
31  - "Malware/Ransomware"
32tactics_and_techniques:
33  - "Evasion"
34detection_methods:
35  - "Archive analysis"
36  - "Content analysis"
37  - "Exif analysis"
38  - "File analysis"
39  - "Sender analysis"
40id: "9a5332ed-0023-5d6e-89d3-bd789c3bde6f"