Detection Method: File analysis

File analysis breaks down and inspects file contents, formats, and embedded elements to uncover hidden threats. This method goes beyond basic file attributes, deeply examining the inner structure of files to find potentially malicious content that looks legitimate on the surface.
File analysis helps detect:
  • Malicious macros in Office documents (Word, Excel, PowerPoint)
  • Obfuscated scripts hidden in PDFs or other document types
  • Executable code disguised in non-executable files
  • Hidden text content using encoding or steganography
  • Suspicious metadata or file properties suggesting tampering
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Stripe invoice abuse
2d ago
Jul 14th, 2026
Sublime Security
Attachment: PDF with suspicious document view lure
2d ago
Jul 14th, 2026
Sublime Security
Attachment: Encrypted PDF with credential theft language in EML
3d ago
Jul 13th, 2026
Sublime Security
Attachment: PDF Object Hash associated with a fake invoice and a W-9
14d ago
Jul 2nd, 2026
Sublime Security
Attachment: ICS calendar file with suspicious UID domain
14d ago
Jul 2nd, 2026
Sublime Security
Attachment: Romance scam with image lure and advance-fee or suspicious link indicators
15d ago
Jul 1st, 2026
Sublime Security
Attachment: Suspicious PDF created with headless browser
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with specific W-9 lure
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with quote lure
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with localhost IP in EXIF title metadata
17d ago
Jun 29th, 2026
Sublime Security
Attachment: PDF with suspicious internal object reference identifier
17d ago
Jun 29th, 2026
Sublime Security
Attachment: Invoice and W-9 PDFs with suspicious creators
20d ago
Jun 26th, 2026
Sublime Security
Attachment: PDF with W-9 form indicators
20d ago
Jun 26th, 2026
Sublime Security
Brand impersonation: Proofpoint secure messaging without legitimate indicators
20d ago
Jun 26th, 2026
Sublime Security
Brand impersonation: Dropbox
20d ago
Jun 26th, 2026
Sublime Security
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
21d ago
Jun 25th, 2026
Sublime Security
Attachment: DOCX with malicious document template artifacts
21d ago
Jun 25th, 2026
Sublime Security
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
21d ago
Jun 25th, 2026
Sublime Security
Attachment: PDF with a suspicious string and single URL
29d ago
Jun 17th, 2026
Sublime Security
Attachment: PDF Object Hash associated with fake Canada Revenue Agency documents
29d ago
Jun 17th, 2026
Sublime Security