Adobe branded PDF file linking to a password-protected file from untrusted sender

calendar Feb 23, 2024  ·
Share on: linkedin copy

Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)

Sublime rule (View on GitHub)

 1name: "Adobe branded PDF file linking to a password-protected file from untrusted sender"
 2description: |
 3  Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
 4  abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          .file_extension == "pdf"
11          and any(file.explode(.),
12                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                      .name == "cred_theft" and .confidence == "high"
14                  )
15                  and strings.icontains(.scan.ocr.raw, "password-protected")
16                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
17                          .name == "org" and .text == "Adobe"
18                  )
19          )
20  )
21  and (
22    profile.by_sender().prevalence in ("new", "outlier")
23    or (
24      profile.by_sender().any_messages_malicious_or_spam
25      and not profile.by_sender().any_false_positives
26    )
27  )  
28attack_types:
29  - "Malware/Ransomware"
30tactics_and_techniques:
31  - "Encryption"
32  - "Evasion"
33  - "Impersonation: Brand"
34  - "PDF"
35detection_methods:
36  - "Archive analysis"
37  - "File analysis"
38  - "Natural Language Understanding"
39  - "Optical Character Recognition"
40  - "Sender analysis"
41id: "5ea75469-58e8-561e-9a19-24da14a946b7"
to-top