High Severity

Attachment: Office file with suspicious function calls or downloaded file path

Labels

Malware/Ransomware

Evasion

Scripting

Archive analysis

File analysis

Description

Attached Office file contains suspicious function calls or known malicious file path pattern.

References

https://app.docguard.io/c3e75d7a32a4959724f24c1004724951482cd732db7d287989c873c09166ff95/c3036de5-89b1-49c6-9681-706f5b9af264/0/results/dashboard

Sublime Security

Created Nov 21st, 2023 • Last updated Feb 9th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        (
          // office files
          .file_extension in~ $file_extensions_macros
          or .file_extension in~ $file_extensions_common_archives
          or (
            .file_extension is null
            and .file_type == "unknown"
            and .content_type == "application/octet-stream"
            and .size < 100000
          )
        )
        and (
          any(file.explode(.),
              (
                any(.scan.strings.strings, strings.ilike(., '*URLDownloadToFile*'))
                and any(.scan.strings.strings, strings.ilike(., '*Auto_Open*'))
              )
              or any(.scan.strings.strings,
                     regex.icontains(., 'C:\\[A-Za-z]{7}\\[A-Za-z]{7}\\[A-Za-z]{7}')
              )
          )
        )
)
and (
  (
    profile.by_sender().prevalence in ("new", "outlier")
    and not profile.by_sender().solicited
  )
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().any_false_positives

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.