Attachment: PowerPoint with suspicious hyperlink

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.

Sublime rule (View on GitHub)

 1name: "Attachment: PowerPoint with suspicious hyperlink"
 2description: |
 3    Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
 4references:
 5  - "https://twitter.com/doc_guard/status/1570190610774257665"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (.file_extension in~ ("ppt", "pptx"))
12          and any(file.explode(.),
13                  any(.scan.exiftool.fields,
14                      .key == "Hyperlinks"
15                      and (
16                        4 of (
17                          strings.ilike(.value, "*[Convert]::ToChar*"),
18                          strings.ilike(.value, "*vbs*"),
19                          strings.ilike(.value, "*[IO.File]::Create*"),
20                          strings.ilike(.value, "*[IO.File]::Exists*"),
21                          strings.ilike(.value,
22                                        "*[io.FileOPtions]::DeleteOnClose*"
23                          ),
24                          strings.ilike(.value, "*Net.WebClient*"),
25                          strings.ilike(.value, "*dll*"),
26                        )
27                      )
28                  )
29          )
30  )  
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35  - "Scripting"
36detection_methods:
37  - "Exif analysis"
38  - "File analysis"
39id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704"
to-top