Attachment: Fake PDF Invoices Yara

calendar Jun 16, 2026  ยท
Share on: linkedin copy

These yara signatures match fake invoice PDFs with specific artifiacts including images and link locations.

Sublime rule (View on GitHub)

 1name: "Attachment: Fake PDF Invoices Yara"
 2description: "These yara signatures match fake invoice PDFs with specific artifiacts including images and link locations. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  .name in (
11                    "fake_invoice_pdf_structure_01",
12                    "fake_invoice_pdf_images_01",
13                  )
14              )
15          )
16  )  
17attack_types:
18  - "Malware/Ransomware"
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "PDF"
22  - "Social engineering"
23detection_methods:
24  - "Content analysis"
25  - "File analysis"
26  - "YARA"
27id: "5e006046-12cd-567c-8070-d1c251ccb512"
to-top