Attachment: PDF with link to zip containing a wsf file

 1name: "Attachment: PDF with link to zip containing a wsf file"
 2description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
 3references:
 4  - "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
 5  - "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
 6  - "https://twitter.com/Cryptolaemus1/status/1650826597333696515"
 7type: "rule"
 8severity: "high"
 9source: |
10  type.inbound
11  and any(attachments,
12          .file_type == "pdf"
13          and any(file.explode(.),
14                  any(.scan.url.urls,
15                      strings.icontains(.url, "zip")
16                      and any(ml.link_analysis(.).files_downloaded,
17                              any(file.explode(.), .file_extension == "wsf")
18                      )
19                  )
20                  or any(.scan.url.urls,
21                         strings.icontains(.url, "php")
22                         and any(ml.link_analysis(.).files_downloaded,
23                                 any(file.explode(.),
24                                     .file_extension == "zip"
25                                     and any(.scan.zip.attempted_files, strings.icontains(., "wsf"))
26                                 )
27                         )
28                  )
29          )
30  )  
31tags:
32  - "Malfam: QakBot"
33attack_types:
34  - "Malware/Ransomware"
35tactics_and_techniques:
36  - "Evasion"
37  - "PDF"
38detection_methods:
39  - "Archive analysis"
40  - "Content analysis"
41  - "File analysis"
42  - "URL analysis"
43id: "93bc7db4-248f-502a-bc9a-919915cbc0fb"