Attachment: PDF file with low reputation link to ZIP file (unsolicited)
Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
Sublime rule (View on GitHub)
1name: "Attachment: PDF file with low reputation link to ZIP file (unsolicited)"
2description: |
3 Detects messages with PDF attachments linking directly to zip files from unsolicited senders.
4type: "rule"
5severity: "medium"
6authors:
7 - name: "Michael Tingle"
8source: |
9 type.inbound
10 and any([body.plain.raw, body.html.inner_text],
11 any(ml.nlu_classifier(.).entities, .name == "request")
12 )
13 and any(attachments,
14 .file_extension == "pdf"
15 and any(file.explode(.),
16 any(.scan.pdf.urls,
17 regex.contains(.url, '\.(?:zip)') and .domain.root_domain not in $tranco_1m
18 )
19 )
20 )
21 and (
22 not profile.by_sender().solicited
23 or (
24 profile.by_sender().any_messages_malicious_or_spam
25 and not profile.by_sender().any_false_positives
26 )
27 )
28tags:
29 - "Malfam: QakBot"
30attack_types:
31 - "Malware/Ransomware"
32tactics_and_techniques:
33 - "Evasion"
34 - "PDF"
35detection_methods:
36 - "Archive analysis"
37 - "File analysis"
38 - "Natural Language Understanding"
39 - "Sender analysis"
40 - "URL analysis"
41id: "d1ee2859-acd1-5c12-9b74-89439ed1eaf1"