← Back to Explore
sublimehighRule
Attachment: PDF with suspicious language and redirect to suspicious file type
Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
Detection Query
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
length(.scan.url.urls) > 0
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft"
and .confidence in~ ("medium", "high")
)
and any(.scan.url.urls,
strings.icontains(ml.link_analysis(.).final_dom.display_text,
"Redirect Notice"
)
and (
strings.contains(ml.link_analysis(.).final_dom.display_text,
".zip"
)
or strings.contains(ml.link_analysis(.).final_dom.display_text,
".php"
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Malfam: QakBot
Raw Content
name: "Attachment: PDF with suspicious language and redirect to suspicious file type"
description: |
Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
references:
- "https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
length(.scan.url.urls) > 0
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft"
and .confidence in~ ("medium", "high")
)
and any(.scan.url.urls,
strings.icontains(ml.link_analysis(.).final_dom.display_text,
"Redirect Notice"
)
and (
strings.contains(ml.link_analysis(.).final_dom.display_text,
".zip"
)
or strings.contains(ml.link_analysis(.).final_dom.display_text,
".php"
)
)
)
)
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "URL analysis"
id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"