MalwareBazaar: Malicious attachment hash (trusted reporters)

calendar Jan 12, 2026 · Abusech: MalwareBazaar  ·
Share on: linkedin copy

Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders.

Sublime rule (View on GitHub)

 1name: "MalwareBazaar: Malicious attachment hash (trusted reporters)"
 2description: "Detects if an attachment's SHA256 hash matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from untrusted senders."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
 9  )
10  and (
11    profile.by_sender().prevalence in ("new", "outlier")
12    or (
13      profile.by_sender().any_messages_malicious_or_spam
14      and not profile.by_sender().any_messages_benign
15    )
16  )  
17tags:
18  - "Abusech: MalwareBazaar"
19attack_types:
20  - "Malware/Ransomware"
21detection_methods:
22  - "File analysis"
23  - "Sender analysis"
24  - "Threat intelligence"
25id: "5b5c9c3e-92c2-56cd-ad0d-1a2e195fa2b4"
to-top