• Sublime Core Feed
High Severity

Attachment: PowerPoint with suspicious hyperlink

Labels

Malware/Ransomware
Evasion
Scripting
Exif analysis
File analysis

Description

Attached PowerPoint contains a suspicious hyperlink that can execute arbitrary code.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Aug 21st, 2023
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        (.file_extension in~ ("ppt", "pptx"))
        and any(file.explode(.),
                any(.scan.exiftool.fields,
                    .key == "Hyperlinks"
                    and (
                      4 of (
                        strings.ilike(.value, "*[Convert]::ToChar*"),
                        strings.ilike(.value, "*vbs*"),
                        strings.ilike(.value, "*[IO.File]::Create*"),
                        strings.ilike(.value, "*[IO.File]::Exists*"),
                        strings.ilike(.value, "*[io.FileOPtions]::DeleteOnClose*"),
                        strings.ilike(.value, "*Net.WebClient*"),
                        strings.ilike(.value, "*dll*"),
                      )
                    )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started