Attachment with macro calling executable

calendar Dec 19, 2023  ·
Share on: linkedin copy

Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.

This may be an attempt to heavily obfuscate an execution through Microsoft document.

Sublime rule (View on GitHub)

 1name: "Attachment with macro calling executable"
 2description: |
 3  Recursively scans files and archives to detect embedded VBA files
 4  with an encoded hex string referencing an exe.
 5
 6  This may be an attempt to heavily obfuscate an execution through
 7  Microsoft document.  
 8type: "rule"
 9severity: "high"
10source: |
11  type.inbound
12  and any(attachments,
13          (
14            .file_extension in~ $file_extensions_macros
15            or .file_extension in~ $file_extensions_common_archives
16            or (
17                .file_extension is null
18                and .file_type == "unknown"
19                and .content_type == "application/octet-stream"
20                and .size < 100000000
21              )
22          )
23          and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
24  )  
25attack_types:
26  - "Malware/Ransomware"
27tactics_and_techniques:
28  - "Evasion"
29  - "Macros"
30detection_methods:
31  - "Archive analysis"
32  - "File analysis"
33id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c"
to-top