Attachment: HTML file with excessive padding and suspicious patterns

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Attached HTML file contains excessive line breaks and suspicious Javascript patterns.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML file with excessive padding and suspicious patterns"
 2description: |
 3    Attached HTML file contains excessive line breaks and suspicious Javascript patterns.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (
10            .content_type == "text/html"
11            or .file_extension in~ ("html", "htm", "shtml", "dhtml")
12            or .file_type == "html"
13          )
14          and any(file.explode(.), any(.scan.yara.matches, .name == "HTML_EXCESSIVE_PADDING"))
15  )  
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21  - "HTML smuggling"
22detection_methods:
23  - "File analysis"
24  - "HTML analysis"
25  - "YARA"
26id: "0a6aee1e-df58-5f1e-8f49-477ed61babe5"
to-top