High Severity
Attachment: Archive contains DLL-loading macro
Description
An attacker could send a trusted and signed document that references an untrusted DLL file, which will be loaded by the signed document.
Sublime Security
Created Aug 17th, 2023 • Last updated Dec 28th, 2023
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_common_archives
or .file_type == "rar"
)
and (
(
any(file.explode(.),
.scan.zip.encrypted == false
// zip contains a dll file
and any(.scan.zip.all_paths, strings.icontains(., "dll"))
)
and any(file.explode(.),
// macro references a dll file
any(.flavors.yara, strings.like(., "vb_file"))
and any(.scan.strings.strings, strings.icontains(., "dll"))
)
)
or any(file.explode(.), // fallback for encrypted zips
.scan.zip.encrypted == true
and any(.scan.zip.all_paths,
any($file_extensions_macros, strings.icontains(.., .))
)
// zip contains a dll file
and any(.scan.zip.all_paths, strings.icontains(., "dll"))
)
or (
any(file.explode(.),
any(.flavors.yara, strings.like(., "vb_file"))
and any(.scan.strings.strings, strings.ilike(., "*Lib*.dll*"))
)
and any(file.explode(.), strings.ilike(.file_extension, "dll"))
)
)
)
Playground
Test against your own EMLs or sample data.