Attachment: Archive with pdf, txt and wsf files

Aug 21, 2023 · Malfam: QakBot ·

Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1

Sublime rule (View on GitHub)

 1name: "Attachment: Archive with pdf, txt and wsf files"
 2description: |
 3    Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
 4type: "rule"
 5references:
 6  - "https://twitter.com/pr0xylife/status/1625528782240071681"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension in~ $file_extensions_common_archives
12          and length(distinct(filter(file.explode(.),
13                                     .depth == 1
14                                     and .flavors.mime in~ ("application/pdf", "text/plain")
15                              ),
16                              .flavors.mime
17                     )
18          ) == 2
19          and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
20  )  
21tags:
22  - "Malfam: QakBot"
23attack_types:
24  - "Malware/Ransomware"
25tactics_and_techniques:
26  - "Evasion"
27  - "PDF"
28detection_methods:
29  - "Archive analysis"
30  - "File analysis"
31id: "16b2e239-a7d1-51ef-aac1-562b3cc59787"

Related rules

Attachment: HTML smuggling with embedded base64 streamed file download