Attachment: Emotet heavily padded doc in zip file

 1name: "Attachment: Emotet heavily padded doc in zip file"
 2description: |
 3  Detects a potential Emotet delivery method using padded .doc files that compress into small zip files. 
 4  Contents may include Red Dawn templates exceeding 500MB.  
 5references:
 6  - "https://twitter.com/Cryptolaemus1/status/1633099154623803394"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          .file_extension == "zip"
13          and any(file.explode(.),
14                  .depth == 0
15                  and .size < 1000000
16                  and not .depth > 0
17                  and strings.ends_with(.scan.exiftool.zip_file_name, ".doc")
18                  and .scan.exiftool.zip_uncompressed_size > 500000000
19          )
20  )
21  and (
22    (
23      sender.email.domain.root_domain in $free_email_providers
24      and sender.email.email not in $sender_emails
25    )
26    or (
27      sender.email.domain.root_domain not in $free_email_providers
28      and sender.email.domain.domain not in $sender_domains
29    )
30  )  
31tags:
32  - "Malfam: Emotet"
33attack_types:
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Evasion"
37detection_methods:
38  - "Archive analysis"
39  - "Content analysis"
40  - "Exif analysis"
41  - "File analysis"
42  - "Sender analysis"
43id: "9a5332ed-0023-5d6e-89d3-bd789c3bde6f"