• Sublime Core Feed
High Severity

Attachment: PDF with link to zip containing a wsf file

Labels

Malware/Ransomware
Evasion
PDF
Archive analysis
Content analysis
File analysis
URL analysis

Description

Detects a PDF attachment with a link to a ZIP file that contains a WSF file

References

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                any(.scan.url.urls,
                    strings.icontains(.url, "zip")
                    and any(ml.link_analysis(.).files_downloaded,
                            any(file.explode(.), .file_extension == "wsf")
                    )
                )
                or any(.scan.url.urls,
                       strings.icontains(.url, "php")
                       and any(ml.link_analysis(.).files_downloaded,
                               any(file.explode(.),
                                   .file_extension == "zip"
                                   and any(.scan.zip.attempted_files, strings.icontains(., "wsf"))
                               )
                       )
                )
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started