Attachment: Password-protected PDF with fake document indicators

calendar Jan 21, 2026  ยท
Share on: linkedin copy

Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity.

Sublime rule (View on GitHub)

 1name: "Attachment: Password-protected PDF with fake document indicators"
 2description: "Detects PDF attachments that are password protected and matching YARA signatures looking for specific content observed in previous activity."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 1
 8  and any(filter(attachments, .file_type == "pdf"),
 9          //
10          // This rule makes use of a beta feature and is subject to change without notice
11          // using the beta featuer in custom rules is not suggested until it has been formally released.
12          //
13          any(beta.parse_exif(.).fields,
14              strings.icontains(.value, 'password protected')
15          )
16          and any(file.explode(.),
17                  any(.scan.yara.matches,
18                      .name in ("pwd_protected_pdf_fake_document_1")
19                  )
20          )
21  )  
22attack_types:
23  - "Malware/Ransomware"
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Encryption"
27  - "Evasion"
28  - "PDF"
29detection_methods:
30  - "File analysis"
31  - "YARA"
32  - "Exif analysis"
33id: "b45e4440-1133-5122-a90f-2516dba88588"
to-top