Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Attachment: PDF file with low reputation link to ZIP file (unsolicited)"
2description: |
3 Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
4type: "rule"
5severity: "medium"
6authors:
7 - name: "Michael Tingle"
8source: |
9 type.inbound
10 and any([body.plain.raw, body.html.inner_text],
11 any(ml.nlu_classifier(.).entities, .name == "request")
12 )
13 and any(attachments,
14 .file_extension == "pdf"
15 and any(file.explode(.),
16 any(.scan.pdf.urls,
17 regex.contains(.url, '\.(?:zip)') and .domain.root_domain not in $tranco_1m
18 )
19 )
20 )
21 // unsolicited
22 and (
23 (
24 sender.email.domain.root_domain in $free_email_providers
25 and sender.email.email not in $recipient_emails
26 )
27 or (
28 sender.email.domain.root_domain not in $free_email_providers
29 and sender.email.domain.domain not in $recipient_domains
30 )
31 )
32tags:
33 - "Malfam: QakBot"
34attack_types:
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Evasion"
38 - "PDF"
39detection_methods:
40 - "Archive analysis"
41 - "File analysis"
42 - "Natural Language Understanding"
43 - "Sender analysis"
44 - "URL analysis"
45id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"
Related rules
- Attachment: Archive with pdf, txt and wsf files
- Attachment: Double Base64-encoded Zip File in HTML Smuggling Attachment
- Attachment: HTML smuggling with embedded base64 streamed file download
- Attachment: PDF with link to zip containing a wsf file
- Attachment: PDF with suspicious language and redirect to suspicious file type