Attachment: PDF with link to zip containing a wsf file
Detects a PDF attachment with a link to a ZIP file that contains a WSF file
Sublime rule (View on GitHub)
1name: "Attachment: PDF with link to zip containing a wsf file"
2description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
3references:
4 - "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
5 - "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_type == "pdf" and
12 any(file.explode(.),
13 any(.scan.pdf.urls, strings.ends_with(.url, "zip")
14 and any(beta.linkanalysis(.).files_downloaded,
15 any(file.explode(.),
16 .file_extension == "wsf")
17 )
18 )
19 )
20 )
21tags:
22 - "Suspicious attachment"
23 - "QakBot"