Attachment soliciting user to enable macros

calendar Dec 19, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect documents that ask the user to enable macros, including if that text appears within an embedded image.

Sublime rule (View on GitHub)

 1name: "Attachment soliciting user to enable macros"
 2description: |
 3  Recursively scans files and archives to detect documents that ask the
 4  user to enable macros, including if that text appears within an embedded image.  
 5references:
 6  - "https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          (
13            .file_extension in~ $file_extensions_macros
14            or .file_extension in~ $file_extensions_common_archives
15            or (
16                .file_extension is null
17                and .file_type == "unknown"
18                and .content_type == "application/octet-stream"
19                and .size < 100000000
20            )
21          )
22          and any(file.explode(.),
23                  strings.ilike(.scan.ocr.raw, "*please*enable*macros")
24                  or any(.scan.strings.strings, strings.ilike(., "*please enable macros*"))
25          )
26  )
27  and (
28    not profile.by_sender().solicited
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )  
34attack_types:
35  - "Malware/Ransomware"
36tactics_and_techniques:
37  - "Macros"
38detection_methods:
39  - "Archive analysis"
40  - "File analysis"
41  - "Macro analysis"
42  - "Optical Character Recognition"
43  - "Sender analysis"
44id: "e9d75515-8d64-531d-8ccb-9153150d0ee3"
to-top