Attachment: PDF with suspicious language and redirect to suspicious file type
Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with suspicious language and redirect to suspicious file type"
2description: |
3 Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
4references:
5 - "https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_type == "pdf"
12 and any(file.explode(.),
13 any(ml.nlu_classifier(.scan.ocr.raw).intents,
14 .name == "cred_theft" and .confidence in~ ("medium", "high")
15 )
16 and any(.scan.url.urls,
17 strings.icontains(ml.link_analysis(.).final_dom.display_text,
18 "Redirect Notice"
19 )
20 and (
21 strings.contains(ml.link_analysis(.).final_dom.display_text, ".zip")
22 or strings.contains(ml.link_analysis(.).final_dom.display_text, ".php")
23 )
24 )
25 )
26 )
27tags:
28 - "Malfam: QakBot"
29attack_types:
30 - "Malware/Ransomware"
31 - "Credential Phishing"
32tactics_and_techniques:
33 - "Evasion"
34 - "PDF"
35detection_methods:
36 - "File analysis"
37 - "Natural Language Understanding"
38 - "Optical Character Recognition"
39 - "URL analysis"
40id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"