Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Attachment: PDF file with low reputation link to ZIP file (unsolicited)"
2description: |
3 Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
4type: "rule"
5severity: "medium"
6authors:
7 - name: "Michael Tingle"
8source: |
9 type.inbound
10 and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
11 and any(attachments,
12 .file_extension == "pdf"
13 and any(file.explode(.),
14 any(.scan.pdf.urls,
15 regex.contains(.url, '\.(?:zip)') and .domain.root_domain not in $tranco_1m
16 )
17 )
18 )
19 and (
20 not profile.by_sender().solicited
21 or (
22 profile.by_sender().any_messages_malicious_or_spam
23 and not profile.by_sender().any_false_positives
24 )
25 )
26tags:
27 - "Malfam: QakBot"
28attack_types:
29 - "Malware/Ransomware"
30tactics_and_techniques:
31 - "Evasion"
32 - "PDF"
33detection_methods:
34 - "Archive analysis"
35 - "File analysis"
36 - "Natural Language Understanding"
37 - "Sender analysis"
38 - "URL analysis"
39id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"