{
	"id": "5cb35b05-5336-45ae-9172-568bf8393d09",
	"created_at": "2026-04-06T00:06:46.300055Z",
	"updated_at": "2026-04-10T03:20:27.050618Z",
	"deleted_at": null,
	"sha1_hash": "11f33fc597243f09cdc25eb06490d6bc54686e16",
	"title": "Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2125624,
	"plain_text": "Detecting QakBot: WSF attachments, OneNote files, and generic\r\nattack surface reduction\r\nBy Sam Scholten,\r\nPublished: 2025-10-22 · Archived: 2026-04-05 19:54:56 UTC\r\nQakBot History and Evolution\r\nQakBot, also known as QBot and Pinkslipbot, has been active since 2007 and has been consistently and constantly\r\nevolving. Initially, QakBot started as a banking Trojan that utilized command and control (C2) servers for payload\r\ndelivery. With modularity being a crucial component, QakBot’s primary objective was to steal financial data and\r\nlogin credentials from victims. It was also capable of spying on financial operations and redirecting users to fake\r\nbanking sites.\r\nOver the years, QakBot has used many different techniques to infect users, including malspam campaigns with\r\nmalicious attachments, hyperlinks, or embedded images to drop a second-stage payload. The malware itself has\r\nevolved to include a variety of functions and new obfuscation methods to avoid detection.\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 1 of 10\n\nQakBot timeline\r\nExploring the latest delivery method\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 2 of 10\n\nIn early 2023, QakBot was observed using a new method of distribution through Windows Script Files (.wsf). In\r\nthis scenario, the phishing email contains a zip file with a random name, which includes a wsf file and txt file, and\r\na decoy pdf file.\r\nsample email\r\nThe malicious attachment is delivered in the following sequence:\r\n1. A .zip file containing multiple files, including a decoy .pdf file, a .txt file, and a .wsf file.\r\n2. The .wsf file is used to execute the malicious code contained in the decoy .pdf file.\r\n3. The .pdf file contains a script that downloads a .dll file and executes it on the infected machine.\r\nThis delivery method is unique in that it uses a .wsf file to execute the malicious code, rather than relying on\r\nmacros or other scripting languages.\r\nWhen the victim tries to open the .wsf file, javscript is executed to download the QakBot DLL file. The file is\r\nusually loaded into the C:\\ProgramData directory and executed using “Rundll32.exe” with “Wind” as a\r\nparameter. For example:\r\nDownload the sample\r\nUsing MQL to Detect The WSF Variant\r\nLet’s create an MQL rule that can detect this specific delivery method by looking for the following characteristics:\r\n1. An inbound email with at least one attachment.\r\n2. The attachment is an archive.\r\n3. The archive file contains a .pdf file, .txt file, and .wsf file at a depth of 1.\r\nThe Rule\r\nAttachment: Archive with pdf, txt and wsf files\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 3 of 10\n\nAttachment: Archive with pdf, txt and wsf files (MQL)\r\nBreaking Down the Rule\r\nThe rule is inspecting inbound mail with at least 1 attachment. It uses Sublime’s open-source static-files,\r\nspecifically the $file_extensions_common_archive list, to determine if the file is an archive.\r\nIf an attachment is found with an archive , we use file_extension to check for archives and the file.explode\r\nfunction, which explodes the archive file. The rule then checks if the archive file contains a .pdf, .txt, and .wsf file\r\nat a depth of 1.\r\nIf all of these conditions are met, the rule tags the email as \"Qakbot\" and \"Suspicious attachment\" and assigns it a\r\nmedium severity rating.\r\nTest in the Sublime Playground\r\nIn addition to specific detections, it’s important to consider the protections gained by a more generalized approach.\r\nAttack surface reduction (ASR) is a proactive security strategy that involves minimizing potential avenues of\r\nattack for malicious actors by limiting their opportunity to do harm.\r\nOne effective way to protect against Qakbot and other similar malware threats is by implementing attack surface\r\nreduction (ASR) techniques, such as the rule below. This rule utilizes MQL to scan email content for any links\r\nthat may lead to an encrypted zip file, and then checks whether the zip file contains a disk image in IMG, ISO, or\r\nVHD format.\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 4 of 10\n\nLink to auto-downloaded disk image in encrypted zip (MQL)\r\nOneNote Attack Surface Reduction\r\nIn late 2022, QakBot began using OneNote attachments as part of its campaigns, likely in response to Microsoft’s\r\nblocking of Office Macros. We can again leverage MQL to surface these attempts.\r\nThe rule below was contributed by @Kyle_Parrish_/Kyle Parrish, a Sublime Community user.\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 5 of 10\n\nMalicious OneNote Commands (MQL)\r\nThis rule aims to identify potential threats in OneNote attachments by searching for specific suspicious\r\ncommands. It first checks for OneNote files, as well as OneNote files inside archives, using Sublime’s static-files\r\nlist ($file_extensions_common_archives). The rule then uses MQL to scan for specific strings that may indicate\r\nmalicious behavior, such as references to shell commands (e.g., Windows Script Host, scheduled tasks),\r\nPowerShell, and other malware indicators. This is another great example of reducing your attack surface, while\r\nnot specifically aimed at Qakbot, but any malware looking to leverage similar delivery mechanisms.\r\nConclusion\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 6 of 10\n\nQakbot's unique delivery methods require a multi-layered approach for detection.\r\nOne effective technique for safeguarding against Qakbot and other similar malware threats is implementing Attack\r\nSurface Reduction (ASR) measures. By proactively reducing potential avenues of attack for malicious actors,\r\nASR can significantly minimize the opportunity for harm.\r\nAll of the rules described above can be used as both detection rules to prevent new attacks going forward, as well\r\nas a Hunt rules to look for historical attacks. They've all been added to the core Sublime Rules Feed, which means\r\nall Sublime instances, both free and paid, receive these new protections by default.\r\nGet the latest\r\nSublime releases, detections, blogs, events, and more directly to your inbox.\r\nThank you!\r\nThank you for reaching out.  A team member will get back to you shortly.\r\nOops! Something went wrong while submitting the form.\r\nEmail security refers to protective measures that prevent unauthorized access to email accounts and protect against\r\nthreats like phishing, malware, and data breaches. Modern email security like Sublime use AI-powered technology\r\nto detect and block sophisticated attacks while providing visibility and control over your email environment.\r\nRelated articles\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 7 of 10\n\nSublime at RSAC 2026: Top questions at the booth\r\nMarch 31, 2026\r\nSublime earns 14 Enterprise G2 badges for Spring 2026\r\nMarch 26, 2026\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 8 of 10\n\nADÉ is now generally available: New coverage for novel threats, autonomously\r\nMarch 23, 2026\r\nNow is the time\r\nSee how Sublime delivers autonomous protection by default, with control on demand.\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 9 of 10\n\nSource: https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nhttps://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction\r\nPage 10 of 10\n\nSublime at RSAC March 31, 2026 2026: Top questions at the booth \nSublime earns 14 Enterprise G2 badges for Spring 2026\nMarch 26, 2026   \n   Page 8 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://sublime.security/blog/detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction"
	],
	"report_names": [
		"detecting-qakbot-wsf-attachments-onenote-files-and-generic-attack-surface-reduction"
	],
	"threat_actors": [],
	"ts_created_at": 1775434006,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/11f33fc597243f09cdc25eb06490d6bc54686e16.pdf",
		"text": "https://archive.orkl.eu/11f33fc597243f09cdc25eb06490d6bc54686e16.txt",
		"img": "https://archive.orkl.eu/11f33fc597243f09cdc25eb06490d6bc54686e16.jpg"
	}
}