Attachment: Archive contains DLL-loading macro
An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
Sublime rule (View on GitHub)
1name: "Attachment: Archive contains DLL-loading macro"
2description: |
3 An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
4references:
5 - "https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension == "zip"
13 and (
14 any(file.explode(.),
15 .scan.zip.encrypted == false
16 // zip contains a dll file
17 and any(.scan.zip.all_paths, strings.icontains(., "dll"))
18 )
19 and any(file.explode(.),
20 // macro references a dll file
21 any(.flavors.yara, strings.like(., "vb_file"))
22 and any(.scan.strings.strings, strings.icontains(., "dll"))
23 )
24 )
25 )
26 or any(file.explode(.), // fallback for encrypted zips
27 .scan.zip.encrypted == true
28 and any(.scan.zip.all_paths, any($file_extensions_macros, strings.icontains(.., .)))
29 // zip contains a dll file
30 and any(.scan.zip.all_paths, strings.icontains(., "dll"))
31 )
32 or (
33 .file_extension in~ $file_extensions_common_archives
34 and any(file.explode(.),
35 any(.flavors.yara, strings.like(., "vb_file"))
36 and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
37 )
38 and any(file.explode(.), strings.ilike(.file_extension, "dll"))
39 )
40 )
41attack_types:
42 - "Malware/Ransomware"
43tactics_and_techniques:
44 - "Exploit"
45 - "LNK"
46 - "Macros"
47 - "Scripting"
48detection_methods:
49 - "Archive analysis"
50 - "File analysis"
51 - "Macro analysis"
52 - "YARA"
53id: "3a193f5f-1596-54d8-8fd7-1e09e63e6ea4"