• Sublime Core Feed
High Severity

Attachment: JavaScript file with suspicious base64-encoded executable

Labels

Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
YARA

Description

JavaScript attachment or compressed JavaScript file containing a base64 encoded executable.

References

No references.

Sublime Security
Created Apr 1st, 2024 • Last updated Apr 1st, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (
          .file_extension in~ $file_extensions_common_archives
          or .file_extension in ("js", "jar")
        )
        and any(file.explode(.),
                (
                  (
                    .file_extension in ("js", "jar")
                    or any(.flavors.yara, . == "javascript_file")
                  )
                  and any(.flavors.yara, . == 'base64_pe')
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started