{ "id": "430486ea-2a52-4715-913b-2cae45703ca5", "created_at": "2026-04-06T00:12:02.190877Z", "updated_at": "2026-04-10T13:12:34.873287Z", "deleted_at": null, "sha1_hash": "adf3f88daf1694c555df591303affb32eab46f45", "title": "Rule of the Week: Possible Malicious File Double Extension", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36731, "plain_text": "Rule of the Week: Possible Malicious File Double Extension\r\nBy Eugene Tkachenko\r\nPublished: 2020-05-01 · Archived: 2026-04-05 19:57:28 UTC\r\nAdversaries can mask malicious executables as images, documents or archives, replacing file icons and adding\r\nfake extensions to the file names. Such “crafted” files are often used as attachments in phishing emails, and this is\r\na fairly effective way to infect Windows systems due to “Hide known file types extensions” option enabled by\r\ndefault for Windows XP and newer systems. The real file extension is hidden by the system in the file browser and\r\nmost applications following the system’s file browser policies. If the phishing email convinces the user to open the\r\n“document”, the malware is installed on the system, and then the lure document is often downloaded and run so\r\nthat the user does not suspect anything.\r\nOur SOC Team released an exclusive Sigma rule that detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing\r\ncampaigns: https://tdm.socprime.com/tdm/info/2FWv97nWNL5L/iea3vHEBv8lhbg_iMXqH/?p=1\r\nThreat Detection is supported for the following platforms:\r\nSIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint,\r\nHumio, RSA NetWitness\r\nEDR: CrowdStrike, Carbon Black, Elastic Endpoint\r\nMITRE ATT\u0026CK:\r\nTactics: Initial Access\r\nhttps://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/\r\nPage 1 of 2\n\nTechnique: Spearphishing Attachment (T1193)\r\nPlease find hereby the top-5 community rules released last week by participants in Threat Bounty Program:\r\nhttps://socprime.com/en/blog/rule-digest-fresh-content-to-detect-trojans-and-ransomware/\r\nSource: https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/\r\nhttps://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/" ], "report_names": [ "rule-of-the-week-possible-malicious-file-double-extension" ], "threat_actors": [], "ts_created_at": 1775434322, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/adf3f88daf1694c555df591303affb32eab46f45.pdf", "text": "https://archive.orkl.eu/adf3f88daf1694c555df591303affb32eab46f45.txt", "img": "https://archive.orkl.eu/adf3f88daf1694c555df591303affb32eab46f45.jpg" } }