Attachment: Archive contains DLL-loading macro
An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
Sublime rule (View on GitHub)
1name: "Attachment: Archive contains DLL-loading macro"
2description: |
3 An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
4references:
5 - "https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ $file_extensions_common_archives
13 or .file_type == "rar"
14 )
15 and (
16 (
17 any(file.explode(.),
18 .scan.zip.encrypted == false
19 // zip contains a dll file
20 and any(.scan.zip.all_paths, strings.icontains(., "dll"))
21 )
22 and any(file.explode(.),
23 // macro references a dll file
24 any(.flavors.yara, strings.like(., "vb_file"))
25 and any(.scan.strings.strings, strings.icontains(., "dll"))
26 )
27 )
28 or any(file.explode(.), // fallback for encrypted zips
29 .scan.zip.encrypted == true
30 and any(.scan.zip.all_paths,
31 any($file_extensions_macros, strings.icontains(.., .))
32 )
33 // zip contains a dll file
34 and any(.scan.zip.all_paths, strings.icontains(., "dll"))
35 )
36 or (
37 any(file.explode(.),
38 any(.flavors.yara, strings.like(., "vb_file"))
39 and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
40 )
41 and any(file.explode(.), strings.ilike(.file_extension, "dll"))
42 )
43 )
44 )
45attack_types:
46 - "Malware/Ransomware"
47tactics_and_techniques:
48 - "Exploit"
49 - "LNK"
50 - "Macros"
51 - "Scripting"
52detection_methods:
53 - "Archive analysis"
54 - "File analysis"
55 - "Macro analysis"
56 - "YARA"
57id: "3a193f5f-1596-54d8-8fd7-1e09e63e6ea4"