Detection Method: Archive analysis

Archive analysis is the process of unpacking compressed files like ZIPs, RARs, or TARs to find threats hidden inside. Attackers often bury malicious payloads in multiple layers of archives to bypass basic scanning. This method digs into those layers to expose what’s really inside.
Security systems use recursive unpacking to detect things like:
  • Scripts or executables hidden in nested ZIPs
  • Macro-enabled documents disguised inside archive chains
  • Encrypted files used to evade detection
For example, an attacker might send a ZIP file that contains another ZIP, which holds a Word document with malicious macros. Archive analysis unpacks each layer and inspects the contents individually.
Blog Posts
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Scripting Vector Grifts: SVG phishing with smuggled JS and adversary in the middle tactics · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
QR Code Phishing: Decoding Hidden Threats · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (3):
Malware/Ransomware
Credential Phishing
BEC/Fraud
Tactics & Techniques (18):
Encryption
Evasion
QR code
Exploit
HTML smuggling
Social engineering
Free file host
Free subdomain host
Open redirect
Scripting
Image as content
Macros
Impersonation: Employee
PDF
LNK
Impersonation: Brand
OneNote
ISO
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Encrypted ZIP containing VHDX file
17d ago
Apr 3rd, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Archive analysis
File analysis
Attachment: EML with QR code redirecting to Cloudflare challenges
19d ago
Apr 1st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
QR code
File analysis
QR code analysis
URL analysis
Archive analysis
Attachment: ZIP file with CVE-2026-0866 exploit
1mo ago
Mar 20th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Attachment: Archive containing HTML file with file scheme link
1mo ago
Mar 17th, 2026
Sublime Security
Credential Phishing
Evasion
Exploit
HTML smuggling
Social engineering
Archive analysis
File analysis
HTML analysis
Link: Commonly Abused Web Service redirecting to ZIP file
1mo ago
Mar 10th, 2026
Sublime Security
Malware/Ransomware
Free file host
Free subdomain host
Open redirect
Evasion
URL analysis
Whois
Archive analysis
Attachment: QR code with suspicious URL patterns in EML file
1mo ago
Feb 21st, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Social engineering
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: cmd file extension
2mo ago
Feb 9th, 2026
Sublime Security
Malware/Ransomware
Scripting
Archive analysis
File analysis
Attachment: QR code with encoded recipient targeting and redirect indicators
2mo ago
Jan 30th, 2026
Sublime Security
Credential Phishing
QR code
Evasion
Image as content
Open redirect
Archive analysis
File analysis
QR code analysis
URL analysis
Attachment: Office file with document sharing and browser instruction lures
2mo ago
Jan 29th, 2026
Sublime Security
Credential Phishing
Social engineering
Evasion
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Content analysis
Attachment with auto-executing macro (unsolicited)
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
Archive analysis
Header analysis
File analysis
Macro analysis
OLE analysis
Sender analysis
Attachment with macro calling executable
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Macros
Archive analysis
File analysis
Attachment with VBA macros from employee impersonation (unsolicited)
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Impersonation: Employee
Macros
Social engineering
Archive analysis
File analysis
Macro analysis
Sender analysis
Attachment: HTML smuggling with ROT13
3mo ago
Jan 12th, 2026
@Kyle_Parrish_
Credential Phishing
Malware/Ransomware
Encryption
Evasion
HTML smuggling
Scripting
Archive analysis
Content analysis
File analysis
Javascript analysis
HTML analysis
Attachment: Office file with suspicious function calls or downloaded file path
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Scripting
Archive analysis
File analysis
Attachment: PDF with link to DMG file download
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis
Attachment: PDF with link to zip containing a wsf file
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Sender analysis
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
3mo ago
Jan 12th, 2026
Michael Tingle
Malware/Ransomware
Evasion
PDF
Archive analysis
File analysis
Natural Language Understanding
Sender analysis
URL analysis
Attachment: WinRAR CVE-2025-8088 exploitation
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Exploit
Evasion
Archive analysis
File analysis
YARA
Attachment soliciting user to enable macros
3mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Macros
Archive analysis
File analysis
Macro analysis
Optical Character Recognition
Sender analysis
Page 1 of 5