Attachment: PDF Object Hash with Blue File Icon

calendar Jun 5, 2026  ยท
Share on: linkedin copy

Detects PDF attachments containing a specific object hash (8638ef6bfe382a927aa12a18f2150757) associated with encrypted PDFs leading to cred phishing.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF Object Hash with Blue File Icon"
 2description: "Detects PDF attachments containing a specific object hash (8638ef6bfe382a927aa12a18f2150757) associated with encrypted PDFs leading to cred phishing."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              .scan.pdf_obj_hash.object_hash == "8638ef6bfe382a927aa12a18f2150757"
10          )
11  )  
12attack_types:
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "PDF"
16  - "Evasion"
17detection_methods:
18  - "File analysis"
19id: "d092e95c-62b7-5d55-b2a3-6363294180d4"
to-top