Detection Method: Archive analysis

Archive analysis is the process of unpacking compressed files like ZIPs, RARs, or TARs to find threats hidden inside. Attackers often bury malicious payloads in multiple layers of archives to bypass basic scanning. This method digs into those layers to expose what’s really inside.
Security systems use recursive unpacking to detect things like:
  • Scripts or executables hidden in nested ZIPs
  • Macro-enabled documents disguised inside archive chains
  • Encrypted files used to evade detection
For example, an attacker might send a ZIP file that contains another ZIP, which holds a Word document with malicious macros. Archive analysis unpacks each layer and inspects the contents individually.
Blog Posts
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (3):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Tactics & Techniques (19):
Encryption
Evasion
Impersonation: Brand
PDF
ICS Phishing
Social engineering
Free subdomain host
HTML smuggling
Scripting
QR code
Exploit
Free file host
Open redirect
Image as content
Macros
Impersonation: Employee
LNK
OneNote
ISO
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment with unscannable encrypted zip
12d ago
Apr 30th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
Adobe branded PDF file linking to a password-protected file from untrusted sender
13d ago
Apr 29th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Impersonation: Brand
PDF
Archive analysis
File analysis
Natural Language Understanding
Optical Character Recognition
MalwareBazaar: Malicious attachment hash in archive (trusted reporters)
13d ago
Apr 29th, 2026
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
Sender analysis
Threat intelligence
Non-RFC compliant calendar files from unsolicited sender
14d ago
Apr 28th, 2026
Sublime Security
Evasion
ICS Phishing
Social engineering
Archive analysis
Content analysis
File analysis
Sender analysis
Attachment: HTML smuggling Microsoft sign in
15d ago
Apr 27th, 2026
Sublime Security
Credential Phishing
Free subdomain host
HTML smuggling
Impersonation: Brand
Social engineering
Archive analysis
Content analysis
File analysis
Header analysis
Javascript analysis
Sender analysis
URL analysis
Attachment: File execution via Javascript
15d ago
Apr 27th, 2026
Sublime Security
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
Javascript analysis
Sender analysis
Attachment: Double base64-encoded zip file in HTML smuggling attachment
15d ago
Apr 27th, 2026
@ajpc500
Malware/Ransomware
Credential Phishing
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
HTML analysis
Sender analysis
Attachment: TAR file with RAR type
18d ago
Apr 24th, 2026
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
Attachment: Encrypted ZIP containing VHDX file
1mo ago
Apr 3rd, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Attachment: EML with QR code redirecting to Cloudflare challenges
1mo ago
Apr 1st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
QR code
File analysis
QR code analysis
URL analysis
Archive analysis
Attachment: ZIP file with CVE-2026-0866 exploit
1mo ago
Mar 20th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Attachment: Archive containing HTML file with file scheme link
1mo ago
Mar 17th, 2026
Sublime Security
Credential Phishing
Evasion
Exploit
HTML smuggling
Social engineering
Archive analysis
File analysis
HTML analysis
Link: Commonly Abused Web Service redirecting to ZIP file
2mo ago
Mar 10th, 2026
Sublime Security
Malware/Ransomware
Free file host
Free subdomain host
Open redirect
Evasion
URL analysis
Whois
Archive analysis
Attachment: QR code with suspicious URL patterns in EML file
2mo ago
Feb 21st, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Social engineering
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: cmd file extension
3mo ago
Feb 9th, 2026
Sublime Security
Malware/Ransomware
Scripting
Archive analysis
File analysis
Attachment: QR code with encoded recipient targeting and redirect indicators
3mo ago
Jan 30th, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Image as content
Open redirect
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: Office file with document sharing and browser instruction lures
3mo ago
Jan 29th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Content analysis
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
Attachment: EML with Encrypted ZIP
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
Attachment: HTML smuggling with ROT13
3mo ago
Jan 12th, 2026
@Kyle_Parrish_
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis
Page 1 of 5