Attachment: Office file with suspicious function calls or downloaded file path
Attached Office file contains suspicious function calls or known malicious file path pattern.
Sublime rule (View on GitHub)
1name: "Attachment: Office file with suspicious function calls or downloaded file path"
2description: "Attached Office file contains suspicious function calls or known malicious file path pattern."
3references:
4 - "https://app.docguard.io/c3e75d7a32a4959724f24c1004724951482cd732db7d287989c873c09166ff95/c3036de5-89b1-49c6-9681-706f5b9af264/0/results/dashboard"
5type: "rule"
6severity: "high"
7source: |
8 type.inbound
9 and any(attachments,
10 (
11 // office files
12 .file_extension in~ $file_extensions_macros
13 or .file_extension in~ $file_extensions_common_archives
14 or (
15 .file_extension is null
16 and .file_type == "unknown"
17 and .content_type == "application/octet-stream"
18 and .size < 100000
19 )
20 )
21 and (
22 any(file.explode(.),
23 (
24 any(.scan.strings.strings,
25 strings.ilike(., '*URLDownloadToFile*')
26 )
27 and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
28 )
29 or any(.scan.strings.strings,
30 regex.icontains(.,
31 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}'
32 )
33 )
34 )
35 )
36 )
37 and (
38 (
39 profile.by_sender().prevalence in ("new", "outlier")
40 and not profile.by_sender().solicited
41 )
42 or (
43 profile.by_sender().any_messages_malicious_or_spam
44 and not profile.by_sender().any_messages_benign
45 )
46 )
47 and not profile.by_sender().any_messages_benign
48tags:
49 - "Attack surface reduction"
50attack_types:
51 - "Malware/Ransomware"
52tactics_and_techniques:
53 - "Evasion"
54 - "Scripting"
55detection_methods:
56 - "Archive analysis"
57 - "File analysis"
58id: "4c78b969-9df8-59e1-8f65-43afdb06c817"