Attachment with macro calling executable
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe.
This may be an attempt to heavily obfuscate an execution through Microsoft document.
Sublime rule (View on GitHub)
1name: "Attachment with macro calling executable"
2description: |
3 Recursively scans files and archives to detect embedded VBA files
4 with an encoded hex string referencing an exe.
5
6 This may be an attempt to heavily obfuscate an execution through
7 Microsoft document.
8type: "rule"
9severity: "high"
10source: |
11 type.inbound
12 and any(attachments,
13 (
14 .file_extension in~ $file_extensions_macros
15 or .file_extension in~ $file_extensions_common_archives
16 or (
17 .file_extension is null
18 and .file_type == "unknown"
19 and .content_type == "application/octet-stream"
20 and .size < 100000000
21 )
22 )
23 and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
24 )
25attack_types:
26 - "Malware/Ransomware"
27tactics_and_techniques:
28 - "Evasion"
29 - "Macros"
30detection_methods:
31 - "Archive analysis"
32 - "File analysis"
33id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c"