Attachment: PDF with suspicious language and redirect to suspicious file type

 1name: "Attachment: PDF with suspicious language and redirect to suspicious file type"
 2description: |
 3    Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
 4references:
 5  - "https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_type == "pdf"
12          and any(file.explode(.),
13                  length(.scan.url.urls) > 0
14                  and any(ml.nlu_classifier(.scan.ocr.raw).intents,
15                          .name == "cred_theft"
16                          and .confidence in~ ("medium", "high")
17                  )
18                  and any(.scan.url.urls,
19                          strings.icontains(ml.link_analysis(.).final_dom.display_text,
20                                            "Redirect Notice"
21                          )
22                          and (
23                            strings.contains(ml.link_analysis(.).final_dom.display_text,
24                                             ".zip"
25                            )
26                            or strings.contains(ml.link_analysis(.).final_dom.display_text,
27                                                ".php"
28                            )
29                          )
30                  )
31          )
32  )  
33tags:
34  - "Malfam: QakBot"
35attack_types:
36  - "Malware/Ransomware"
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Evasion"
40  - "PDF"
41detection_methods:
42  - "File analysis"
43  - "Natural Language Understanding"
44  - "Optical Character Recognition"
45  - "URL analysis"
46id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"