• Sublime Core Feed
Medium Severity

Attachment: Archive with embedded CHM file

Labels

Malware/Ransomware
Evasion
Archive analysis
File analysis

Description

Recursively scans files and archives to detect embedded CHM (Microsoft Compiled HTML Help) files.

According to CERT-UA, on March 7, 2022, phishing attacks targeted state organizations of Ukraine using Zip files with embedded CHM documents, which themselves contained malicious VBScript inside a .htm file. The activity is associated with UNC1151, according to CERT-UA.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_extension in~ $file_extensions_common_archives
        and any(file.explode(.), .file_extension =~ "chm")
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started