Attachment: RTF with embedded content

calendar Feb 26, 2024 · Attack surface reduction  ·
Share on: linkedin copy

RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)

Sublime rule (View on GitHub)

 1name: "Attachment: RTF with embedded content"
 2description: |
 3    RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)
 4references:
 5  - "https://delivr.to/payloads?id=bd526b27-f202-4827-ab44-1d037960d837"
 6  - "https://playground.sublimesecurity.com/?id=5d47ec8d-f099-4d6c-9a5b-03f4d7cb0254"
 7type: "rule"
 8authors:
 9  - twitter: "amitchell516"
10severity: "medium"
11source: |
12  type.inbound
13  and any(attachments,
14          .file_type == "rtf"
15          and any(file.explode(.),
16                  .flavors.mime in~ (
17                    "application/x-dosexec",
18                    "text/x-msdos-batch",
19                    "application/octet-stream"
20                  )
21                  or any(.flavors.yara, . == 'base64_pe')
22                  or .file_extension in~ ("bat", "exe", "vbs")
23          )
24  )  
25tags:
26  - "Attack surface reduction"
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31detection_methods:
32  - "File analysis"
33  - "YARA"
34id: "61dd2dd7-21cf-58be-bd58-87ae677a00ab"

Related rules

to-top