← Back to Explore
sublimehighRule
Attachment with macro calling executable
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe. This may be an attempt to heavily obfuscate an execution through Microsoft document.
Detection Query
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment with macro calling executable"
description: |
Recursively scans files and archives to detect embedded VBA files
with an encoded hex string referencing an exe.
This may be an attempt to heavily obfuscate an execution through
Microsoft document.
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "Macros"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "5ee6a197-eea0-505a-a4d9-24addaf23d3c"