MalwareBazaar: Malicious attachment hash in archive (trusted reporters)

calendar Apr 29, 2026  ยท
Share on: linkedin copy

Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters.

Sublime rule (View on GitHub)

 1name: "MalwareBazaar: Malicious attachment hash in archive (trusted reporters)"
 2description: "Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_extension in~ $file_extensions_common_archives
 9          and any(file.explode(.),
10                  .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
11          )
12  )  
13
14attack_types:
15  - "Malware/Ransomware"
16tactics_and_techniques:
17  - "Evasion"
18detection_methods:
19  - "Archive analysis"
20  - "File analysis"
21  - "Sender analysis"
22  - "Threat intelligence"
23id: "9d734281-3111-5bed-a192-9ae0e1ad6b9d"
to-top