← Back to Explore
sublimemediumRule
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Detection Query
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.url, '\.(?:zip)')
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Author
Michael Tingle
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Malfam: QakBot
Raw Content
name: "Attachment: PDF file with low reputation link to ZIP file (unsolicited)"
description: |
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
type: "rule"
severity: "medium"
authors:
- name: "Michael Tingle"
source: |
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.url, '\.(?:zip)')
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Malfam: QakBot"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Natural Language Understanding"
- "Sender analysis"
- "URL analysis"
id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"