SFX with adobe.exe content

Hunt Hypothesis

Adversaries may use SFX (self-extracting executable) files containing Adobe.exe content to disguise malicious payloads and evade basic detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential fileless attacks or obfuscated malware that could bypass traditional signature-based defenses.

YARA Rule

rule Malicious_SFX2 
{

    meta:
        description = "SFX with adobe.exe content"
        author = "Florian Roth"
        reference = "http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950"
        date = "2015-07-20"
        hash = "502e42dc99873c52c3ca11dd3df25aad40d2b083069e8c22dd45da887f81d14d"

    strings:
        $s1 = "adobe.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '27.00' */
        $s2 = "Extracting files to %s folder$Extracting files to temporary folder" fullword wide /* PEStudio Blacklist: strings */ /* score: '26.00' */
        $s3 = "GETPASSWORD1" fullword wide /* PEStudio Blacklist: strings */ /* score: '23.00' */

    condition:
        uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950
• Source Rule

False Positive Guidance

• Scenario: Adobe Acrobat Reader is used to open a PDF file containing embedded JavaScript that is flagged as SFX (Self-Extracting Archive) content.
  Filter/Exclusion: process.exe_name: "Adobe Acrobat Reader DC" or process.parent_process: "AcroRd32.exe"

• Scenario: A system administrator uses Adobe AIR to deploy a legitimate application update via a self-extracting archive.
  Filter/Exclusion: process.exe_name: "Adobe AIR" or process.parent_process: "Adobe AIR"

• Scenario: A scheduled job runs a script that generates a temporary SFX file for deployment purposes, and the file is processed by Adobe Acrobat.
  Filter/Exclusion: process.exe_name: "Adobe Acrobat Reader DC" AND file.name: "temp_sfx_file.exe" or use a file.hash exclusion for known legitimate files.

• Scenario: A user downloads a legitimate Adobe update package that includes a self-extracting archive, which is then extracted by Adobe software.
  Filter/Exclusion: file.name: "AdobeUpdater.exe" or process.exe_name: "Adobe Updater" with a hash-based exclusion for the known update file.

• Scenario: A developer uses Adobe Flex Builder to compile a project that includes a self-extracting archive as part of the build process.
  Filter/Exclusion: process.exe_name: "Flex Builder" or process.parent_process: "Flex Builder" with a hash-based exclusion for the build tool’s temporary files.