Detection Method: Archive analysis

Archive analysis is the process of unpacking compressed files like ZIPs, RARs, or TARs to find threats hidden inside. Attackers often bury malicious payloads in multiple layers of archives to bypass basic scanning. This method digs into those layers to expose what’s really inside.
Security systems use recursive unpacking to detect things like:
  • Scripts or executables hidden in nested ZIPs
  • Macro-enabled documents disguised inside archive chains
  • Encrypted files used to evade detection
For example, an attacker might send a ZIP file that contains another ZIP, which holds a Word document with malicious macros. Archive analysis unpacks each layer and inspects the contents individually.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Malicious zip file matching zipline campaign
21d ago
Jun 25th, 2026
Sublime Security
Attachment with auto-executing macro (unsolicited)
1mo ago
Jun 5th, 2026
Sublime Security
Attachment: Embedded VBScript in MHT file
2mo ago
May 14th, 2026
Sublime Security
Attachment with unscannable encrypted zip
2mo ago
Apr 30th, 2026
Sublime Security
Adobe branded PDF file linking to a password-protected file from untrusted sender
2mo ago
Apr 29th, 2026
Sublime Security
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
2mo ago
Apr 29th, 2026
Sublime Security
Non-RFC compliant calendar files from unsolicited sender
2mo ago
Apr 28th, 2026
Sublime Security
Attachment: Double base64-encoded zip file in HTML smuggling attachment
2mo ago
Apr 27th, 2026
@ajpc500
Attachment: HTML smuggling Microsoft sign in
2mo ago
Apr 27th, 2026
Sublime Security
Attachment: File execution via Javascript
2mo ago
Apr 27th, 2026
Sublime Security
Attachment: TAR file with RAR type
2mo ago
Apr 24th, 2026
Sublime Security
Attachment: Encrypted ZIP containing VHDX file
3mo ago
Apr 3rd, 2026
Sublime Security
Attachment: EML with QR code redirecting to Cloudflare challenges
3mo ago
Apr 1st, 2026
Sublime Security
Attachment: ZIP file with CVE-2026-0866 exploit
3mo ago
Mar 20th, 2026
Sublime Security
Attachment: Archive containing HTML file with file scheme link
4mo ago
Mar 17th, 2026
Sublime Security
Link: Commonly Abused Web Service redirecting to ZIP file
4mo ago
Mar 10th, 2026
Sublime Security
Attachment: QR code with suspicious URL patterns in EML file
4mo ago
Feb 21st, 2026
Sublime Security
Attachment: cmd file extension
5mo ago
Feb 9th, 2026
Sublime Security
Attachment: QR code with encoded recipient targeting and redirect indicators
5mo ago
Jan 30th, 2026
Sublime Security
Attachment: Office file with document sharing and browser instruction lures
5mo ago
Jan 29th, 2026
Sublime Security