• Sublime Core Feed
Medium Severity

Attachment: RTF with embedded content

Labels

Malware/Ransomware
Evasion
File analysis
YARA

Description

RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)

References

@amitchell516
Created Aug 17th, 2023 • Last updated Feb 26th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type == "rtf"
        and any(file.explode(.),
                .flavors.mime in~ (
                  "application/x-dosexec",
                  "text/x-msdos-batch",
                  "application/octet-stream"
                )
                or any(.flavors.yara, . == 'base64_pe')
                or .file_extension in~ ("bat", "exe", "vbs")
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started