• Archive analysis

Detection Method: Archive analysis

Archive analysis is the process of unpacking compressed files like ZIPs, RARs, or TARs to find threats hidden inside. Attackers often bury malicious payloads in multiple layers of archives to bypass basic scanning. This method digs into those layers to expose what’s really inside.
Security systems use recursive unpacking to detect things like:
  • Scripts or executables hidden in nested ZIPs
  • Macro-enabled documents disguised inside archive chains
  • Encrypted files used to evade detection
For example, an attacker might send a ZIP file that contains another ZIP, which holds a Word document with malicious macros. Archive analysis unpacks each layer and inspects the contents individually.
Blog Posts
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques
QR Code Phishing: Decoding Hidden Threats
QR Code Phishing: Decoding Hidden Threats
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction
Attack Types (2):
Malware/Ransomware
Credential Phishing
Tactics & Techniques (9):
Evasion
Macros
Scripting
HTML smuggling
Exploit
Encryption
LNK
Social engineering
PDF
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Macro Files Containing MHT Content
6d ago
Jun 12th, 2025 UTC
Sublime Security
Malware/Ransomware
Credential Phishing
Evasion
Macros
Scripting
Archive analysis
File analysis
Macro analysis
/feeds/core/detection-rules/attachment-macro-files-containing-mht-content-4d54e40b
Attachment: Embedded Javascript in SVG file
16d ago
Jun 2nd, 2025 UTC
Sublime Security
Malware/Ransomware
Scripting
Archive analysis
File analysis
Sender analysis
XML analysis
/feeds/core/detection-rules/attachment-embedded-javascript-in-svg-file-f70293bc
Attachment: OLE external relationship containing file scheme link to executable filetype
2mo ago
Apr 17th, 2025 UTC
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
Content analysis
OLE analysis
Sender analysis
/feeds/core/detection-rules/attachment-ole-external-relationship-containing-file-scheme-link-to-executable-filetype-33bf6fd4
Attachment: HTML with obfuscation and recipient's email in JavaScript strings
2mo ago
Apr 10th, 2025 UTC
Sublime Security
Credential Phishing
HTML smuggling
Scripting
Archive analysis
File analysis
HTML analysis
Javascript analysis
/feeds/core/detection-rules/attachment-html-with-obfuscation-and-recipients-email-in-javascript-strings-1aff486b
HTML smuggling containing recipient email address
2mo ago
Apr 1st, 2025 UTC
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
HTML smuggling
Scripting
Archive analysis
File analysis
Sender analysis
/feeds/core/detection-rules/html-smuggling-containing-recipient-email-address-af32ff2f
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
2mo ago
Mar 21st, 2025 UTC
Sublime Security
Credential Phishing
Scripting
Macros
Exploit
Archive analysis
Content analysis
File analysis
/feeds/core/detection-rules/attachment-cve-2025-24071-microsoft-windows-file-explorer-spoofing-vulnerability-2e69fa0b
Link to auto-download of a suspicious file type (unsolicited)
3mo ago
Mar 5th, 2025 UTC
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-download-of-a-suspicious-file-type-unsolicited-67ae2152
Attachment: Filename Containing Unicode Braille Pattern Blank Character
3mo ago
Feb 20th, 2025 UTC
@vector_sec
Malware/Ransomware
Evasion
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-filename-containing-unicode-braille-pattern-blank-character-c230ca86
Non-RFC Compliant Calendar Files from unsolicited sender
6mo ago
Nov 20th, 2024 UTC
Sublime Security
Evasion
Social engineering
Archive analysis
Content analysis
File analysis
Sender analysis
/feeds/core/detection-rules/non-rfc-compliant-calendar-files-from-unsolicited-sender-9859f100
QR code to auto-download of a suspicious file type (unsolicited)
7mo ago
Nov 20th, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
QR code analysis
/feeds/core/detection-rules/qr-code-to-auto-download-of-a-suspicious-file-type-unsolicited-eed87ea2
Attachment: Archive containing disallowed file type
9mo ago
Sep 18th, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
/feeds/core/detection-rules/attachment-archive-containing-disallowed-file-type-3859e3e7
Attachment: HTML smuggling with atob and high entropy
9mo ago
Aug 29th, 2024 UTC
Sublime Security
Credential Phishing
Malware/Ransomware
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Javascript analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-html-smuggling-with-atob-and-high-entropy-03fcac11
Attachment: RTF file with suspicious link
10mo ago
Aug 2nd, 2024 UTC
Sublime Security
Credential Phishing
Evasion
Archive analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-rtf-file-with-suspicious-link-c848f9aa
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
1y ago
May 3rd, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Sender analysis
/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-links-to-suspicious-filetypes-unsolicited-6144f880
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
1y ago
May 3rd, 2024 UTC
Michael Tingle
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Natural Language Understanding
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-file-with-low-reputation-link-to-zip-file-unsolicited-d1ee2859
Link to auto-downloaded disk image in encrypted zip
1y ago
Apr 25th, 2024 UTC
@ajpc500
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-disk-image-in-encrypted-zip-b50f0cb1
Link to auto-downloaded DMG in encrypted zip
1y ago
Apr 25th, 2024 UTC
Sublime Security
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-encrypted-zip-43af98d3
Attachment: PDF with link to DMG file download
1y ago
Apr 25th, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-with-link-to-dmg-file-download-2c486fe0
Malware: Pikabot delivery via URL auto-download
1y ago
Apr 25th, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
Threat intelligence
URL analysis
/feeds/core/detection-rules/malware-pikabot-delivery-via-url-auto-download-f4be4572
Link to auto-downloaded DMG in archive
1y ago
Apr 25th, 2024 UTC
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-to-auto-downloaded-dmg-in-archive-dc04cdd8