Attachment with macro calling executable

Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.

This may be an attempt to heavily obfuscate an execution through Microsoft document.

Sublime rule (View on GitHub)

 1name: "Attachment with macro calling executable"
 2description: |
 3  Recursively scans files and archives to detect embedded VBA files
 4  with an encoded hex string referencing an exe.
 5
 6  This may be an attempt to heavily obfuscate an execution through
 7  Microsoft document.  
 8type: "rule"
 9severity: "high"
10source: |
11  type.inbound
12  and any(attachments,
13          (
14            .file_extension in~ $file_extensions_macros
15            or .file_extension in~ $file_extensions_common_archives
16          )
17          and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
18  )  
19attack_types:
20  - "Malware/Ransomware"
21tactics_and_techniques:
22  - "Evasion"
23  - "Macros"
24detection_methods:
25  - "Archive analysis"
26  - "File analysis"
27id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c"
to-top