MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from unknown senders.
Sublime rule (View on GitHub)
1name: "MalwareBazaar: Malicious attachment hash in archive (trusted reporters)"
2description: "Detects if an arhive attachments contains a file that matches a SHA256 hash reported as malware on MalwareBazaar by trusted reporters from unknown senders."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 .file_extension in~ $file_extensions_common_archives
9 and any(file.explode(.),
10 .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
11 )
12 )
13 and (
14 not profile.by_sender().solicited
15 or (
16 profile.by_sender().any_messages_malicious_or_spam
17 and not profile.by_sender().any_false_positives
18 )
19 )
20 and not profile.by_sender().any_false_positives
21
22
23attack_types:
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Evasion"
27detection_methods:
28 - "Archive analysis"
29 - "File analysis"
30 - "Sender analysis"
31 - "Threat intelligence"
32id: "9d734281-3111-5bed-a192-9ae0e1ad6b9d"