Attachment: PDF with suspicious language and redirect to suspicious file type

Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with suspicious language and redirect to suspicious file type"
 2description: |
 3    Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.
 4references:
 5  - "https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_type == "pdf"
12          and any(file.explode(.),
13                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
14                      .name == "cred_theft" and .confidence in~ ("medium", "high")
15                  )
16                  and any(.scan.url.urls,
17                          strings.icontains(beta.linkanalysis(.).final_dom.display_text,
18                                            "Redirect Notice"
19                          )
20                          and (
21                            strings.contains(beta.linkanalysis(.).final_dom.display_text, ".zip")
22                            or strings.contains(beta.linkanalysis(.).final_dom.display_text, ".php")
23                          )
24                  )
25          )
26  )  
27tags:
28  - "Malfam: QakBot"
29attack_types:
30  - "Malware/Ransomware"
31  - "Credential Phishing"
32tactics_and_techniques:
33  - "Evasion"
34  - "PDF"
35detection_methods:
36  - "File analysis"
37  - "Natural Language Understanding"
38  - "Optical Character Recognition"
39  - "URL analysis"
40id: "adda3c3f-8966-5f46-9924-234bbaee0a2c"

Related rules

to-top