macOS malware: Compiled AppleScript with document double-extension

name: "macOS malware: Compiled AppleScript with document double-extension"
description: |
  Detects compiled AppleScript files (.scpt) with document double-extensions (e.g., .docx.scpt, .pdf.scpt)
  commonly used in DPRK-attributed macOS malware campaigns. These files open in Script Editor when
  double-clicked and use social engineering (fake compatibility errors) to trick users into executing
  malicious reconnaissance scripts that fetch subsequent payload stages.
references: 
  - "https://delivr.to/payloads?id=9fd3974a-b764-4011-b3ea-f4eeb993aa5b"
type: "rule"
severity: "high"
source: |
  type.inbound
  
  // attachment with .scpt extension (compiled AppleScript)
  and any(attachments,
          .file_extension == "scpt"
          // double extension pattern: common document extensions followed by .scpt
          and regex.icontains(.file_name,
                              '\.(doc|docx|pdf|xls|xlsx|ppt|pptx|txt|rtf)\.scpt$'
          )
          // ensure it's actually a binary/script file, not just renamed
          // compiled AppleScript files are binary and have minimum size
          and (.file_type == "unknown" or .file_type == "exe")
          // compiled .scpt files are binary, should have reasonable size
          and .size > 1000
  )
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
tags:
  - "Attack surface reduction"

attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Header analysis"
id: "9669c169-57fe-5d80-865a-5e66eccfb658"