This detection rule is designed to identify embedded executable (EXE) files within compressed archives, specifically focusing on those using a RAR file format or other common archive types. It operates by recursively scanning the contents of files and archives for the MZ header characteristic of executable files. The relevance of this rule is highlighted by a reported attack on June 7, 2021, wherein the Ukrainian Secret Service noted the use of such techniques in spear-phishing campaigns attributed to Russian federal services. In these operations, attackers sent emails urging users to extract RAR archives that contained a malicious EXE masquerading as a PDF file by employing a double file extension (e.g., filename.pdf.exe). This indicates a potential evasion tactic to mislead users and security mechanisms, justifying the need for effective detection methods like archive and file analysis and YARA rules. The rule ties back to prevailing attack types within the realm of malware and ransomware, categorizing the danger level as high.