← Back to Explore
sublimemediumRule
Attachment: RTF with embedded content
RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)
Detection Query
type.inbound
and any(attachments,
.file_type == "rtf"
and any(file.explode(.),
.flavors.mime in~ (
"application/x-dosexec",
"text/x-msdos-batch",
"application/octet-stream"
)
or any(.flavors.yara, . == 'base64_pe')
or .file_extension in~ ("bat", "exe", "vbs")
)
)
Author
amitchell516
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Attack surface reduction
Raw Content
name: "Attachment: RTF with embedded content"
description: |
RTF files can contain embedded content similar to OLE files (Microsoft Office documents.)
references:
- "https://delivr.to/payloads?id=bd526b27-f202-4827-ab44-1d037960d837"
- "https://playground.sublimesecurity.com/?id=5d47ec8d-f099-4d6c-9a5b-03f4d7cb0254"
type: "rule"
authors:
- twitter: "amitchell516"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_type == "rtf"
and any(file.explode(.),
.flavors.mime in~ (
"application/x-dosexec",
"text/x-msdos-batch",
"application/octet-stream"
)
or any(.flavors.yara, . == 'base64_pe')
or .file_extension in~ ("bat", "exe", "vbs")
)
)
tags:
- "Attack surface reduction"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "File analysis"
- "YARA"
id: "61dd2dd7-21cf-58be-bd58-87ae677a00ab"