← Back to Explore
sublimehighRule
PDF attachment with Google (AE) redirecting to a php or zip file
Detects a PDF attachment with a link that contains a Google.ae redirect URL.
Detection Query
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// url encoded q=http
strings.starts_with(.query_params, "q=%68%74%74%70")
// url encoded .php or .zip
and (
strings.contains(.query_params, ".%70%68%70")
or strings.contains(.query_params, "%2e%7a%69%70")
)
and .domain.root_domain == "google.ae"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Malfam: QakBot
Raw Content
name: "PDF attachment with Google (AE) redirecting to a php or zip file"
description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL."
references:
- "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20"
- "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
// url encoded q=http
strings.starts_with(.query_params, "q=%68%74%74%70")
// url encoded .php or .zip
and (
strings.contains(.query_params, ".%70%68%70")
or strings.contains(.query_params, "%2e%7a%69%70")
)
and .domain.root_domain == "google.ae"
)
)
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Open redirect"
- "PDF"
detection_methods:
- "Content analysis"
- "File analysis"
- "URL analysis"
id: "57ae513f-54b6-5ddd-9527-449a6d2a23c3"