High Severity

Attachment: PDF with suspicious language and redirect to suspicious file type

Labels

Malware/Ransomware

Credential Phishing

Evasion

PDF

File analysis

Natural Language Understanding

Optical Character Recognition

URL analysis

Description

Attached PDF contains credential theft language, and links to an open redirect to a suspicious file type. This has been observed in-the-wild as a Qakbot technique.

References

https://delivr.to/payloads?id=b2288482-916a-4484-8a0b-bd3b33d93b11

Sublime Security

Created Aug 17th, 2023 • Last updated Jan 12th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and any(attachments,
        .file_type == "pdf"
        and any(file.explode(.),
                length(.scan.url.urls) > 0
                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
                        .name == "cred_theft"
                        and .confidence in~ ("medium", "high")
                )
                and any(.scan.url.urls,
                        strings.icontains(ml.link_analysis(.).final_dom.display_text,
                                          "Redirect Notice"
                        )
                        and (
                          strings.contains(ml.link_analysis(.).final_dom.display_text,
                                           ".zip"
                          )
                          or strings.contains(ml.link_analysis(.).final_dom.display_text,
                                              ".php"
                          )
                        )
                )
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.