Attachment: Archive with pdf, txt and wsf files
Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
Sublime rule (View on GitHub)
1name: "Attachment: Archive with pdf, txt and wsf files"
2description: |
3 Detects a known Qakbot delivery method, zip file with pdf, txt and wsf file at a depth of 1
4type: "rule"
5references:
6 - "https://twitter.com/pr0xylife/status/1625528782240071681"
7severity: "medium"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_extension in~ $file_extensions_common_archives
12 and length(distinct(filter(file.explode(.),
13 .depth == 1
14 and .flavors.mime in~ (
15 "application/pdf",
16 "text/plain"
17 )
18 ),
19 .flavors.mime
20 )
21 ) == 2
22 and any(file.explode(.), .depth == 1 and .file_extension == "wsf")
23 )
24tags:
25 - "Malfam: QakBot"
26attack_types:
27 - "Malware/Ransomware"
28tactics_and_techniques:
29 - "Evasion"
30 - "PDF"
31detection_methods:
32 - "Archive analysis"
33 - "File analysis"
34id: "16b2e239-a7d1-51ef-aac1-562b3cc59787"
Related rules
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with suspicious language and redirect to suspicious file type
- Link to auto-downloaded disk image in encrypted zip
- Link to auto-downloaded file with Google Drive branding