Attachment: PDF with link to zip containing a wsf file

Detects a PDF attachment with a link to a ZIP file that contains a WSF file

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with link to zip containing a wsf file"
 2description: "Detects a PDF attachment with a link to a ZIP file that contains a WSF file"
 3references: 
 4  - "https://analyzer.sublime.security/?id=596edcf4-507e-4714-8b2d-b1f51c258c70"
 5  - "https://twitter.com/Cryptolaemus1/status/1649091718552379392"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments, 
11      .file_type == "pdf" and 
12      any(file.explode(.), 
13          any(.scan.pdf.urls, strings.ends_with(.url, "zip")
14              and any(beta.linkanalysis(.).files_downloaded, 
15                  any(file.explode(.), 
16                    .file_extension == "wsf")
17                  )
18              )
19          )
20      )  
21tags:
22  - "Suspicious attachment"
23  - "QakBot"

Related rules

to-top