Attachment: Malformed OLE file

calendar Nov 25, 2024  ยท
Share on: linkedin copy

Attached OLE file (typically a Microsoft Office document) is malformed, possibly to evade traditional scanners and filters.

Sublime rule (View on GitHub)

 1name: "Attachment: Malformed OLE file"
 2description: |
 3    Attached OLE file (typically a Microsoft Office document) is malformed, possibly to evade traditional scanners and filters.
 4references:
 5  - "https://x.com/anyrun_app/status/1861024182210900357"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension in $file_extensions_macros
12          and any(file.explode(.),
13                  any(.scan.yara.matches, .name == "MALFORMED_OLE_HEADER")
14          )
15  )  
16attack_types:
17  - "Credential Phishing"
18  - "Malware/Ransomware"
19tactics_and_techniques:
20  - "Evasion"
21detection_methods:
22  - "File analysis"
23  - "YARA"
24id: "5aadc68f-9a67-5fd0-a825-3d7e1c5bfcb3"
to-top