EXPLORE
Sign In
← Back to Explore
T1204.002

Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.(C...

LinuxmacOSWindows
397
Detections
5
Sources
84
Threat Actors

BY SOURCE

306sublime45elastic27sigma18splunk_escu1crowdstrike_cql

PROCEDURES (116)

Authentication Monitoring67 detections

Auto-extracted: 67 detections for authentication monitoring

General Monitoring36 detections

Auto-extracted: 36 detections for general monitoring

Attachment20 detections

Auto-extracted: 20 detections for attachment

Script Execution Monitoring19 detections

Auto-extracted: 19 detections for script execution monitoring

Email Security17 detections

Auto-extracted: 17 detections for email security

Network Connection Monitoring10 detections

Auto-extracted: 10 detections for network connection monitoring

Phish8 detections

Auto-extracted: 8 detections for phish

Email7 detections

Auto-extracted: 7 detections for email

Macro7 detections

Auto-extracted: 7 detections for macro

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Service6 detections

Auto-extracted: 6 detections for service

Email6 detections

Auto-extracted: 6 detections for email

Base645 detections

Auto-extracted: 5 detections for base64

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Download5 detections

Auto-extracted: 5 detections for download

Encrypt5 detections

Auto-extracted: 5 detections for encrypt

Impersonat4 detections

Auto-extracted: 4 detections for impersonat

Office4 detections

Auto-extracted: 4 detections for office

Download4 detections

Auto-extracted: 4 detections for download

Http3 detections

Auto-extracted: 3 detections for http

Phish3 detections

Auto-extracted: 3 detections for phish

Process Creation Monitoring3 detections

Auto-extracted: 3 detections for process creation monitoring

Unusual3 detections

Auto-extracted: 3 detections for unusual

Child Process3 detections

Auto-extracted: 3 detections for child process

Bypass3 detections

Auto-extracted: 3 detections for bypass

Office3 detections

Auto-extracted: 3 detections for office

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Attachment3 detections

Auto-extracted: 3 detections for attachment

Suspicious3 detections

Auto-extracted: 3 detections for suspicious

Credential3 detections

Auto-extracted: 3 detections for credential

Office3 detections

Auto-extracted: 3 detections for office

Service3 detections

Auto-extracted: 3 detections for service

Remote3 detections

Auto-extracted: 3 detections for remote

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Download3 detections

Auto-extracted: 3 detections for download

Bypass2 detections

Auto-extracted: 2 detections for bypass

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Phish2 detections

Auto-extracted: 2 detections for phish

Base642 detections

Auto-extracted: 2 detections for base64

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Office2 detections

Auto-extracted: 2 detections for office

Child Process2 detections

Auto-extracted: 2 detections for child process

Event Log2 detections

Auto-extracted: 2 detections for event log

Unusual2 detections

Auto-extracted: 2 detections for unusual

Credential2 detections

Auto-extracted: 2 detections for credential

Macro2 detections

Auto-extracted: 2 detections for macro

Macro2 detections

Auto-extracted: 2 detections for macro

Base642 detections

Auto-extracted: 2 detections for base64

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Masquerad2 detections

Auto-extracted: 2 detections for masquerad

Api2 detections

Auto-extracted: 2 detections for api

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Download2 detections

Auto-extracted: 2 detections for download

Credential2 detections

Auto-extracted: 2 detections for credential

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Wmi2 detections

Auto-extracted: 2 detections for wmi

Service2 detections

Auto-extracted: 2 detections for service

Module Load Monitoring2 detections

Auto-extracted: 2 detections for module load monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Privilege1 detections

Auto-extracted: 1 detections for privilege

Remote1 detections

Auto-extracted: 1 detections for remote

Inject1 detections

Auto-extracted: 1 detections for inject

Phish1 detections

Auto-extracted: 1 detections for phish

Attachment1 detections

Auto-extracted: 1 detections for attachment

Attachment1 detections

Auto-extracted: 1 detections for attachment

Cloud1 detections

Auto-extracted: 1 detections for cloud

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Evasion1 detections

Auto-extracted: 1 detections for evasion

Powershell1 detections

Auto-extracted: 1 detections for powershell

Attachment1 detections

Auto-extracted: 1 detections for attachment

Dns1 detections

Auto-extracted: 1 detections for dns

Container1 detections

Auto-extracted: 1 detections for container

Download1 detections

Auto-extracted: 1 detections for download

Inject1 detections

Auto-extracted: 1 detections for inject

Dns1 detections

Auto-extracted: 1 detections for dns

Evasion1 detections

Auto-extracted: 1 detections for evasion

Download1 detections

Auto-extracted: 1 detections for download

Office1 detections

Auto-extracted: 1 detections for office

Inject1 detections

Auto-extracted: 1 detections for inject

Container1 detections

Auto-extracted: 1 detections for container

Credential1 detections

Auto-extracted: 1 detections for credential

Http1 detections

Auto-extracted: 1 detections for http

Email1 detections

Auto-extracted: 1 detections for email

Persist1 detections

Auto-extracted: 1 detections for persist

Base641 detections

Auto-extracted: 1 detections for base64

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Email1 detections

Auto-extracted: 1 detections for email

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Http1 detections

Auto-extracted: 1 detections for http

Remote1 detections

Auto-extracted: 1 detections for remote

Service1 detections

Auto-extracted: 1 detections for service

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Inject1 detections

Auto-extracted: 1 detections for inject

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Startup1 detections

Auto-extracted: 1 detections for startup

Remote1 detections

Auto-extracted: 1 detections for remote

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Evasion1 detections

Auto-extracted: 1 detections for evasion

Cloud1 detections

Auto-extracted: 1 detections for cloud

Privilege1 detections

Auto-extracted: 1 detections for privilege

Startup1 detections

Auto-extracted: 1 detections for startup

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Macro1 detections

Auto-extracted: 1 detections for macro

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Powershell1 detections

Auto-extracted: 1 detections for powershell

Bypass1 detections

Auto-extracted: 1 detections for bypass

THREAT ACTORS (84)

admin@338Ajax Security TeamAndarielAoqin DragonAPT-C-36APT12APT19APT28APT29APT30APT32APT33APT37APT38APT39BITTERBlackTechBRONZE BUTLERCobalt GroupConfuciusContagious InterviewCURIUMDark CaracalDarkhotelDarkHydrusDragonflyEarth LuscaElderwoodEXOTIC LILYFerocious KittenFIN4FIN6FIN7FIN8GallmakerGamaredon GroupGorgon GroupHEXANEHigaisaInceptionIndigoZebraIndrik SpiderKimsukyLazarus GroupLazyScripterLeviathanMacheteMagic HoundMalteiromenuPassMofangMoleratsMoonstone SleetMuddyWaterMustang PandaNaikonNomadic OctopusOilRigPatchworkPLATINUMPROMETHIUMRancorRedCurlRTMSaint BearSandworm TeamSideCopySidewinderSilenceStar BlizzardStorm-1811TA2541TA459TA505TA551The White CompanyThreat Group-3390Tonto TeamTransparent TribeTropic TrooperWhiteflyWindshiftWIRTEWizard Spider

DETECTIONS (397)

Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
Anomalous Process For a Windows Population
elasticlow
Anomalous Windows Process Creation
elasticlow
AnonymousFox indicators
sublimehigh
Anthropic Magic String in HTML
sublimelow
AppLocker Prevented Application or Script from Running
sigmamedium
Attachment soliciting user to enable macros
sublimehigh
Attachment with auto-executing macro (unsolicited)
sublimemedium
Attachment with auto-opening VBA macro (unsolicited)
sublimemedium
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with high risk VBA macro (unsolicited)
sublimehigh
Attachment with macro calling executable
sublimehigh
Attachment with suspicious author (unsolicited)
sublimehigh
Attachment with unscannable encrypted zip (unsolicited)
sublimemedium
Attachment with VBA macros from employee impersonation (unsolicited)
sublimehigh
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: 7z Archive Containing RAR File
sublimemedium
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Any HTML file within archive (unsolicited)
sublimemedium
Attachment: Archive containing disallowed file type
sublimelow
Attachment: Archive contains DLL-loading macro
sublimehigh
Attachment: Archive with embedded CHM file
sublimemedium
Attachment: Archive with embedded EXE file
sublimehigh
Attachment: Archive with pdf, txt and wsf files
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: cmd file extension
sublimelow
Attachment: CVE-2021-40444 - MSHTML Remote Code Execution Vulnerability
sublimecritical
Attachment: CVE-2023-21716 - Microsoft Office Remote Code Execution Vulnerability
sublimehigh
Attachment: CVE-2025-24071 - Microsoft Windows File Explorer Spoofing Vulnerability
sublimecritical
Attachment: DocX embedded binary
sublimehigh
Attachment: DOCX with hyperlink targeting recipient address
sublimemedium
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: EICAR string present
sublimelow
Attachment: Embedded Javascript in SVG file
sublimehigh
Attachment: Embedded VBScript in MHT file (unsolicited)
sublimemedium
Attachment: EML file with HTML attachment (unsolicited)
sublimemedium
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: EML with QR code redirecting to Cloudflare challenges
sublimelow
Attachment: Emotet heavily padded doc in zip file
sublimehigh
Attachment: Employment contract update with suspicious file naming
sublimehigh
Attachment: Encrypted Microsoft Office file (unsolicited)
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Excel file with document sharing lure created by Go Excelize
sublimehigh
Attachment: Excel file with suspicious template identifier
sublimehigh
Attachment: Excel Web Query File (IQY)
sublimehigh
Attachment: Fake attachment image lure
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: Filename containing Unicode braille pattern blank character
sublimehigh
Attachment: Filename containing Unicode right-to-left override character
sublimehigh
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with excessive padding and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with auto-downloaded file
sublimehigh
Attachment: HTML smuggling with base64 encoded JavaScript function
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64 streamed file download
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded executable
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded ISO
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with hex strings
sublimemedium
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with raw array buffer
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: ICS file with AWS Lambda URL
sublimemedium
Attachment: ICS file with excessive custom properties
sublimemedium
Attachment: ICS with embedded document
sublimelow
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: LNK file
sublimehigh
Attachment: LNK with embedded content
sublimehigh
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Macro with suspected use of COM ShellBrowserWindow object for process creation
sublimehigh
Attachment: Malformed OLE file
sublimehigh
Attachment: Malicious OneNote commands
sublimehigh
Attachment: Microsoft impersonation via PDF with link and suspicious language
sublimehigh
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
sublimemedium
Attachment: MSI installer file
sublimemedium
Attachment: Office document loads remote document template
sublimemedium
Attachment: Office document with VSTO add-in
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: OLE external relationship containing file scheme link to executable filetype
sublimehigh
Attachment: OLE external relationship containing file scheme link to IP address
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF file with embedded content
sublimehigh
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
sublimemedium
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
sublimemedium
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PDF with link to DMG file download
sublimemedium
Attachment: PDF with link to zip containing a wsf file
sublimehigh
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with suspicious HeadlessChrome metadata
sublimemedium
Attachment: PDF with suspicious language and redirect to suspicious file type
sublimehigh
Attachment: Potential sandbox evasion in Office file
sublimehigh
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: PowerShell content
sublimehigh
Attachment: QR code link with base64-encoded recipient address
sublimehigh
Attachment: QR code with userinfo portion
sublimehigh
Attachment: RDP connection file
sublimemedium
Attachment: RTF with embedded content
sublimemedium
Attachment: Self-sender PDF with minimal content and view prompt
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: SVG file execution
sublimehigh
Attachment: SVG files with evasion elements
sublimehigh
Attachment: Uncommon compressed file
sublimelow
Attachment: USDA bid invitation impersonation
sublimemedium
Attachment: Web files with suspicious comments
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: XLSX file with suspicious print titles metadata
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
Base64 Decoded Payload Piped to Interpreter
elastichigh
Batch File Write to System32
splunk_escu
Brand impersonation: Google Drive fake file share
sublimemedium
Brand impersonation: Paperless Post
sublimehigh
Brand impersonation: Sharepoint fake file share
sublimemedium
Brand impersonation: Vanguard
sublimemedium
Brand impersonation: WeTransfer
sublimehigh
Brand impersonation: Zoom with deceptive link display
sublimemedium
Brand spoof: Dropbox
sublimemedium
Catbox.moe link from untrusted source
sublimemedium
Cisco NVM - Susp Script From Archive Triggering Network Activity
splunk_escu
CLR DLL Loaded Via Office Applications
sigmamedium
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Decoded Payload Piped to Interpreter Detected via Defend for Containers
elastichigh
DNS Staging Detection: ClickFix-Inspired nslookup Execution
crowdstrike_cql
DotNET Assembly DLL Loaded Via Office Application
sigmamedium
Download From Suspicious TLD - Blacklist
sigmalow
Download From Suspicious TLD - Whitelist
sigmalow
Downloaded Shortcut Files
elasticmedium
Downloaded URL Files
elasticmedium
Drop IcedID License dat
splunk_escu
Elastic Defend Alert Followed by Telemetry Loss
elastichigh
Encoded Payload Detected via Defend for Containers
elasticmedium
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Executable File Creation with Multiple Extensions
elasticmedium
Executable File Download via Wget
elasticmedium
Execution of a Downloaded Windows Script
elasticmedium
Execution of File Written or Modified by Microsoft Office
elastichigh
Fake request for tax preparation
sublimehigh
File sharing link from suspicious sender domain
sublimemedium
File with Right-to-Left Override Character (RTLO) Created/Executed
elasticmedium
File With Uncommon Extension Created By An Office Application
sigmahigh
Flash Player Update from Suspicious Location
sigmahigh
GAC DLL Loaded Via Office Applications
sigmahigh
Gatekeeper Override and Execution
elastichigh
Google Accelerated Mobile Pages (AMP) abuse
sublimemedium
Google Drive direct download link from unsolicited sender
sublimemedium
HackTool - LittleCorporal Generated Maldoc Injection
sigmahigh
Headers: iOS/iPadOS mailer with invalid build number
sublimemedium
Headers: Outlook Express mailer
sublimemedium
HTML smuggling containing recipient email address
sublimemedium
HTML smuggling with atob in message body
sublimehigh
Image as content with a link to an open redirect (unsolicited)
sublimehigh
Ingress Tool Transfer Followed by Execution and Deletion Detected via Defend for Containers
elastichigh
Link to auto-download of a suspicious file type (unsolicited)
sublimemedium
Link to auto-downloaded disk image in encrypted zip
sublimemedium
Link to auto-downloaded DMG in archive
sublimemedium
Link to auto-downloaded DMG in encrypted zip
sublimehigh
Link to auto-downloaded file with Adobe branding
sublimehigh
Link to auto-downloaded file with Google Drive branding
sublimehigh
Link to Google Apps Script macro (unsolicited)
sublimemedium
Link to Google Apps Script macro via comment tagging
sublimemedium
Link: .onion From Unsolicited Sender
sublimelow
Link: /index.php enclosed in three asterisks
sublimemedium
Link: 9WOLF phishkit initial landing URI
sublimehigh
Link: Apple App Store malicious ad manager themed apps from free email provider
sublimemedium
Link: Commonly Abused Web Service redirecting to ZIP file
sublimemedium
Link: CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability
sublimecritical
Link: Direct download of executable file
sublimelow
Link: Direct link to gamma.app document with mode parameter
sublimemedium
Link: Direct link to keap.app contact-us page
sublimemedium
Link: Direct link to limewire hosted file
sublimehigh
Link: Direct MSI download from low reputation domain
sublimelow
Link: Excessive URL rewrite encoders
sublimehigh
Link: Executable file download with suspicious message content
sublimehigh
Link: Free file hosting with undisclosed recipients
sublimemedium
Link: Google Firebase dynamic link that redirects to new domain (<7 days old)
sublimelow
Link: GoPhish query param values
sublimelow
Link: IPFS
sublimemedium
Link: IPv4-mapped IPv6 address obfuscation
sublimemedium
Link: Landing page with search-ms protocol redirect
sublimehigh