MalwareBazaar: Malicious attachment hash (trusted reporters)

calendar Mar 26, 2026 · Abusech: MalwareBazaar  ·
Share on: linkedin copy

Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders.

Sublime rule (View on GitHub)

 1name: "MalwareBazaar: Malicious attachment hash (trusted reporters)"
 2description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
 9  )  
10tags:
11  - "Abusech: MalwareBazaar"
12attack_types:
13  - "Malware/Ransomware"
14detection_methods:
15  - "File analysis"
16  - "Sender analysis"
17  - "Threat intelligence"
18id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4"
to-top