Adobe branded PDF file linking to a password-protected file from untrusted sender

calendar Apr 29, 2026  ·
Share on: linkedin copy

Detects pdf files with links to a remotely hosted password-protected file. This is a common technique abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)

Sublime rule (View on GitHub)

 1name: "Adobe branded PDF file linking to a password-protected file from untrusted sender"
 2description: |
 3  Detects pdf files with links to a remotely hosted password-protected file. This is a common technique
 4  abused by Phishing actors as well as Malware actors (IcedID, Remcos, Async Rat)  
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          .file_extension == "pdf"
11          and any(file.explode(.),
12                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                      .name == "cred_theft" and .confidence == "high"
14                  )
15                  and strings.icontains(.scan.ocr.raw, "password-protected")
16                  and any(ml.nlu_classifier(.scan.ocr.raw).entities,
17                          .name == "org" and .text == "Adobe"
18                  )
19          )
20  )  
21attack_types:
22  - "Malware/Ransomware"
23tactics_and_techniques:
24  - "Encryption"
25  - "Evasion"
26  - "Impersonation: Brand"
27  - "PDF"
28detection_methods:
29  - "Archive analysis"
30  - "File analysis"
31  - "Natural Language Understanding"
32  - "Optical Character Recognition"
33id: "5ea75469-58e8-561e-9a19-24da14a946b7"
to-top