PDF attachment with Google (AE) redirecting to a php or zip file

 1name: "PDF attachment with Google (AE) redirecting to a php or zip file"
 2description: "Detects a PDF attachment with a link that contains a Google.ae redirect URL."
 3references:
 4  - "https://twitter.com/Cryptolaemus1/status/1649200761610571776?s=20"
 5  - "https://analyzer.sublime.security?id=142822c9-8195-47bd-96e3-b8a26267c03c"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_type == "pdf"
12          and any(file.explode(.),
13                  any(.scan.pdf.urls,
14                      // url encoded q=http
15                      strings.starts_with(.query_params, "q=%68%74%74%70")
16                      // url encoded .php or .zip
17                      and (
18                          strings.contains(.query_params, ".%70%68%70")
19                          or strings.contains(.query_params, "%2e%7a%69%70")
20                      )
21                      and .domain.root_domain == "google.ae"
22                  )
23          )
24  )  
25tags:
26  - "Malfam: QakBot"
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Open redirect"
31  - "PDF"
32detection_methods:
33  - "Content analysis"
34  - "File analysis"
35  - "URL analysis"
36id: "57ae513f-54b6-5ddd-9527-449a6d2a23c3"