Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification

calendar Mar 2, 2026  ยท
Share on: linkedin copy

Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification"
 2description: "Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              .scan.pdf_obj_hash.object_hash == "63bf167b66091a4bc53e8944a76f6b08"
10          )
11  )  
12attack_types:
13  - "Malware/Ransomware"
14tactics_and_techniques:
15  - "PDF"
16  - "Evasion"
17detection_methods:
18  - "File analysis"
19  - "Threat intelligence"
20id: "a8a19bae-db78-5d93-b333-41607b82c256"
to-top