Detection rules › Sublime MQL
Attachment with macro calling executable
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe. This may be an attempt to heavily obfuscate an execution through Microsoft document.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion, Macros |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| type |
Rule body MQL
type.inbound
and any(attachments,
(
.file_extension in~ $file_extensions_macros
or .file_extension in~ $file_extensions_common_archives
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
and .size < 100000000
)
)
and any(file.explode(.), any(.scan.vba.hex, strings.ilike(., "*exe*")))
)
Detection logic
Scope: inbound message.
Recursively scans files and archives to detect embedded VBA files with an encoded hex string referencing an exe. This may be an attempt to heavily obfuscate an execution through Microsoft document.
- inbound message
any of
attachmentswhere all hold:any of:
- .file_extension in $file_extensions_macros
- .file_extension in $file_extensions_common_archives
all of:
- .file_extension is missing
- .file_type is 'unknown'
- .content_type is 'application/octet-stream'
- .size < 100000000
any of
file.explode(.)where:any of
.scan.vba.hexwhere:- . matches '*exe*'
Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, attachments[].size, type.inbound. Sensors: file.explode, strings.ilike. Reference lists: $file_extensions_common_archives, $file_extensions_macros.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | unknown |
attachments[].content_type | equals | application/octet-stream |
strings.ilike | substring | *exe* |