Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK

calendar Jan 28, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.

Sublime rule (View on GitHub)

 1name: "Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK"
 2description: |
 3        Detects embedded Shell.Explorer.1 COM objects containing LNK files within various file types.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(attachments,
 9          (.file_type == "rtf" or .file_extension in $file_extensions_macros)
10          and any(file.explode(.),
11                  any(.scan.yara.matches,
12                      strings.starts_with(.name, "ShellExplorer1_LNK_")
13                  )
14          )
15  )  
16tags:
17  - "Attack surface reduction"
18attack_types:
19  - "Malware/Ransomware"
20tactics_and_techniques:
21  - "Evasion"
22detection_methods:
23  - "File analysis"
24  - "YARA"
25id: "53a29f61-3841-575d-baee-80900a92c679"

Related rules

to-top