Attachment: Archive with pdf, txt and wsf files
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Sublime rule (View on GitHub)
1name: "Attachment: Archive with pdf, txt and wsf files"
2description: |
3 Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
4type: "rule"
5references:
6 - "https://twitter.com/pr0xylife/status/1625528782240071681"
7severity: "medium"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_extension in~ $file_extensions_common_archives
12 and length(distinct(filter(file.explode(.),
13 .depth == 1
14 and .flavors.mime in~ ("application/pdf", "text/plain")
15 ),
16 .flavors.mime
17 )
18 ) == 2
19 and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
20 )
21tags:
22 - "Malfam: QakBot"
23attack_types:
24 - "Malware/Ransomware"
25tactics_and_techniques:
26 - "Evasion"
27 - "PDF"
28detection_methods:
29 - "Archive analysis"
30 - "File analysis"
31id: "16b2e239-a7d1-51ef-aac1-562b3cc59787"
Related rules
- Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
- Attachment: HTML smuggling with embedded base64 streamed file download
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with suspicious language and redirect to suspicious file type