Detection rules › Sublime MQL
Malware: Pikabot delivery via URL auto-download
This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| body |
| body.links (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and any(body.links,
regex.imatch(.display_url.url, '.+\/[a-z0-9]+\/\?[0-9a-z]+')
)
and (
any(body.links,
.href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
and not .href_url.domain.domain in ("drive.google.com", "github.com")
)
or any(body.links,
any(ml.link_analysis(., mode="aggressive").files_downloaded,
.file_extension in~ $file_extensions_common_archives
and (
any(file.explode(.),
.file_extension =~ "js"
or .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
)
)
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or profile.by_sender().any_messages_malicious_or_spam
)
Detection logic
Scope: inbound message.
This rule detects URLs matching a known Pikabot pattern where the linked domain has been reported to URLhaus, or the link downloads an archive containing a JS file, or a file in the archive hash is found in Malware Bazaar.
- inbound message
any of
body.linkswhere:- .display_url.url matches '.+\\/[a-z0-9]+\\/\\?[0-9a-z]+'
any of:
any of
body.linkswhere all hold:- .href_url.domain.domain in $abuse_ch_urlhaus_domains_trusted_reporters
not:
- .href_url.domain.domain in ('drive.google.com', 'github.com')
any of
body.linkswhere:any of
ml.link_analysis(., mode='aggressive').files_downloadedwhere all hold:- .file_extension in $file_extensions_common_archives
any of
file.explode(.)where any holds:- .file_extension is 'js'
- .scan.hash.sha256 in $abuse_ch_malwarebazaar_sha256_trusted_reporters
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
- profile.by_sender().any_messages_malicious_or_spam
Inspects: body.links, body.links[].display_url.url, body.links[].href_url.domain.domain, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.link_analysis, profile.by_sender, regex.imatch. Reference lists: $abuse_ch_malwarebazaar_sha256_trusted_reporters, $abuse_ch_urlhaus_domains_trusted_reporters, $file_extensions_common_archives, $high_trust_sender_root_domains.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
regex.imatch | regex | .+\/[a-z0-9]+\/\?[0-9a-z]+ |
body.links[].href_url.domain.domain | member | drive.google.com |
body.links[].href_url.domain.domain | member | github.com |
file.explode(ml.link_analysis(body.links[], mode='aggressive').files_downloaded[])[].file_extension | equals | js |