Attachment: PDF with suspicious language and redirect to suspicious file type
Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with suspicious language and redirect to suspicious file type"
2description: |
3 Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
4references:
5 - "https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_type == "pdf"
12 and any(file.explode(.),
13 length(.scan.url.urls) > 0
14 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
15 .name == "cred_theft" and .confidence in~ ("medium", "high")
16 )
17 and any(.scan.url.urls,
18 strings.icontains(ml.link_analysis(.).final_dom.display_text,
19 "Redirect Notice"
20 )
21 and (
22 strings.contains(ml.link_analysis(.).final_dom.display_text, ".zip")
23 or strings.contains(ml.link_analysis(.).final_dom.display_text, ".php")
24 )
25 )
26 )
27 )
28tags:
29 - "Malfam: QakBot"
30attack_types:
31 - "Malware/Ransomware"
32 - "Credential Phishing"
33tactics_and_techniques:
34 - "Evasion"
35 - "PDF"
36detection_methods:
37 - "File analysis"
38 - "Natural Language Understanding"
39 - "Optical Character Recognition"
40 - "URL analysis"
41id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"