Attachment: PDF with link to zip containing a wsf file
Detects a PDF attachment with a link to a ZIP file that contains a WSF file
Sublime rule (View on GitHub)
1name: "Attachment: PDF with link to zip containing a wsf file"
2description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
3references:
4 - "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
5 - "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
6 - "https://twitter.com/Cryptolaemus1/status/1650826597333696515"
7type: "rule"
8severity: "high"
9source: |
10 type.inbound
11 and any(attachments,
12 .file_type == "pdf"
13 and any(file.explode(.),
14 any(.scan.url.urls,
15 strings.icontains(.url, "zip")
16 and any(ml.link_analysis(.).files_downloaded,
17 any(file.explode(.), .file_extension == "wsf")
18 )
19 )
20 or any(.scan.url.urls,
21 strings.icontains(.url, "php")
22 and any(ml.link_analysis(.).files_downloaded,
23 any(file.explode(.),
24 .file_extension == "zip"
25 and any(.scan.zip.attempted_files,
26 strings.icontains(., "wsf")
27 )
28 )
29 )
30 )
31 )
32 )
33tags:
34 - "Malfam: QakBot"
35attack_types:
36 - "Malware/Ransomware"
37tactics_and_techniques:
38 - "Evasion"
39 - "PDF"
40detection_methods:
41 - "Archive analysis"
42 - "Content analysis"
43 - "File analysis"
44 - "URL analysis"
45id: "93bc7db4-248f-502a-bc9a-919915cbc0fb"
Related rules
- Attachment: Archive with pdf, txt and wsf files
- Attachment: PDF file with low reputation link to ZIP file (unsolicited)
- Attachment: PDF with suspicious language and redirect to suspicious file type
- Link to auto-downloaded disk image in encrypted zip
- Link to auto-downloaded file with Google Drive branding