← Back to Explore
sublimemediumRule
Attachment: Archive with pdf, txt and wsf files
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Detection Query
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and length(distinct(filter(file.explode(.),
.depth == 1
and .flavors.mime in~ (
"application/pdf",
"text/plain"
)
),
.flavors.mime
)
) == 2
and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Malfam: QakBot
Raw Content
name: "Attachment: Archive with pdf, txt and wsf files"
description: |
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
type: "rule"
references:
- "https://twitter.com/pr0xylife/status/1625528782240071681"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in~ $file_extensions_common_archives
and length(distinct(filter(file.explode(.),
.depth == 1
and .flavors.mime in~ (
"application/pdf",
"text/plain"
)
),
.flavors.mime
)
) == 2
and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "Archive analysis"
- "File analysis"
id: "16b2e239-a7d1-51ef-aac1-562b3cc59787"