This detection rule identifies instances where a PDF attachment contains a link that could lead to a ZIP file hosting a WSF (Windows Script File) file. Such files are often used in cyber attacks, particularly to distribute malware or ransomware, taking advantage of unsuspecting users who download and execute these files. The rule employs an inbound detection mechanism that checks for specific file types and URLs within attachments. If the PDF attachment contains a URL linking to a ZIP file, and further analysis shows that the ZIP file includes a WSF file, an alert will be triggered. The rule leverages various detection methods, including archive analysis and URL content analysis, to accurately flag potential malicious content.