Detection Method: Archive analysis

Archive analysis is the process of unpacking compressed files like ZIPs, RARs, or TARs to find threats hidden inside. Attackers often bury malicious payloads in multiple layers of archives to bypass basic scanning. This method digs into those layers to expose what’s really inside.
Security systems use recursive unpacking to detect things like:
  • Scripts or executables hidden in nested ZIPs
  • Macro-enabled documents disguised inside archive chains
  • Encrypted files used to evade detection
For example, an attacker might send a ZIP file that contains another ZIP, which holds a Word document with malicious macros. Archive analysis unpacks each layer and inspects the contents individually.
Blog Posts
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (3):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Tactics & Techniques (18):
Free file host
Free subdomain host
Open redirect
Evasion
QR code
Social engineering
Scripting
Image as content
PDF
Exploit
Encryption
HTML smuggling
LNK
Macros
Impersonation: Employee
Impersonation: Brand
OneNote
ISO
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Link: Commonly Abused Web Service redirecting to ZIP file
4d ago
Mar 10th, 2026
Sublime Security
Malware/Ransomware
Free file host
Free subdomain host
Open redirect
Evasion
URL analysis
Whois
Archive analysis
Attachment: QR code with suspicious URL patterns in EML file
21d ago
Feb 21st, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Social engineering
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: cmd file extension
1mo ago
Feb 9th, 2026
Sublime Security
Malware/Ransomware
Scripting
Archive analysis
File analysis
Attachment: QR code with encoded recipient targeting and redirect indicators
1mo ago
Jan 30th, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Image as content
Open redirect
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: Office file with document sharing and browser instruction lures
1mo ago
Jan 29th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Content analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
2mo ago
Jan 12th, 2026
Michael Tingle
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Natural Language Understanding
Sender analysis
URL analysis
Attachment: Office document loads remote document template
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Archive analysis
File analysis
URL analysis
Attachment: Office file with suspicious function calls or downloaded file path
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
Attachment: PDF with link to DMG file download
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis
Attachment: PDF with link to zip containing a wsf file
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Sender analysis
Attachment: WinRAR CVE-2025-8088 exploitation
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Attachment: HTML smuggling with ROT13
2mo ago
Jan 12th, 2026
@Kyle_Parrish_
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis
Link to auto-download of a suspicious file type (unsolicited)
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
LNK
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
Attachment: 7z Archive Containing RAR File
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Archive analysis
File analysis
Attachment: EML with Encrypted ZIP
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
YARA
Link to auto-downloaded disk image in encrypted zip
2mo ago
Jan 12th, 2026
@ajpc500
Malware/Ransomware
Encryption
Evasion
Social engineering
Archive analysis
File analysis
Sender analysis
URL analysis
YARA
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Macros
Scripting
Archive analysis
Content analysis
File analysis
Macro analysis
OLE analysis
Attachment with VBA macros from employee impersonation (unsolicited)
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
Attachment with macro calling executable
2mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Macros
Archive analysis
File analysis
Page 1 of 5