Attachment: PowerPoint with suspicious hyperlink

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.

Sublime rule (View on GitHub)

 1name: "Attachment: PowerPoint with suspicious hyperlink"
 2description: |
 3    Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.
 4references:
 5  - "https://twitter.com/doc_guard/status/1570190610774257665"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (.file_extension in~ ("ppt", "pptx"))
12          and any(file.explode(.),
13                  any(.scan.exiftool.fields,
14                      .key == "Hyperlinks"
15                      and (
16                        4 of (
17                          strings.ilike(.value, "*[Convert]::ToChar*"),
18                          strings.ilike(.value, "*vbs*"),
19                          strings.ilike(.value, "*[IO.File]::Create*"),
20                          strings.ilike(.value, "*[IO.File]::Exists*"),
21                          strings.ilike(.value, "*[io.FileOPtions]::DeleteOnClose*"),
22                          strings.ilike(.value, "*Net.WebClient*"),
23                          strings.ilike(.value, "*dll*"),
24                        )
25                      )
26                  )
27          )
28  )  
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Evasion"
33  - "Scripting"
34detection_methods:
35  - "Exif analysis"
36  - "File analysis"
37id: "0a999fb1-f44f-54cf-814b-6fd2e83f5704"
to-top