← Back to Explore
sublimehighRule
Attachment: PDF with link to zip containing a wsf file
Detects a PDF attachment with a link to a ZIP file that contains a WSF file
Detection Query
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(.url, "zip")
and any(ml.link_analysis(.).files_downloaded,
any(file.explode(.), .file_extension == "wsf")
)
)
or any(.scan.url.urls,
strings.icontains(.url, "php")
and any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
.file_extension == "zip"
and any(.scan.zip.attempted_files,
strings.icontains(., "wsf")
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Tags
Malfam: QakBot
Raw Content
name: "Attachment: PDF with link to zip containing a wsf file"
description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
references:
- "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
- "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
- "https://twitter.com/Cryptolaemus1/status/1650826597333696515"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
strings.icontains(.url, "zip")
and any(ml.link_analysis(.).files_downloaded,
any(file.explode(.), .file_extension == "wsf")
)
)
or any(.scan.url.urls,
strings.icontains(.url, "php")
and any(ml.link_analysis(.).files_downloaded,
any(file.explode(.),
.file_extension == "zip"
and any(.scan.zip.attempted_files,
strings.icontains(., "wsf")
)
)
)
)
)
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
- "URL analysis"
id: "93bc7db4-248f-502a-bc9a-919915cbc0fb"