Attachment: Office document loads remote document template

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans archives and Office documents to detect remote document template injection.

Sublime rule (View on GitHub)

 1name: "Attachment: Office document loads remote document template"
 2description: |
 3    Recursively scans archives and Office documents to detect remote document template injection.
 4references:
 5  - "https://delivr.to/payloads?id=c7a7195e-0de3-428d-a32c-5fd59a3012da"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            (
13              // office files
14              .file_extension in~ $file_extensions_macros
15              or .file_extension in~ $file_extensions_common_archives
16            )
17            and any(file.explode(.),
18                    .flavors.mime == "text/xml"
19                    and any(.scan.strings.strings, regex.icontains(., ".*Target.*http.*dotm.*"))
20            )
21          )
22  )  
23attack_types:
24  - "Malware/Ransomware"
25detection_methods:
26  - "Archive analysis"
27  - "File analysis"
28  - "URL analysis"
29id: "d9601104-c330-5995-9fae-4d30b969c081"
to-top