Attachment: Finance themed PDF with observed phishing template

calendar Mar 2, 2026  ·
Share on: linkedin copy

Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure.

Sublime rule (View on GitHub)

 1name: "Attachment: Finance themed PDF with observed phishing template"
 2description: "Detects PDF attachments containing a specific rectangular coordinate pattern at position [249.75 560 407.25 599.75], which may indicate a templated or malicious document structure."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.strings.strings,
10                  strings.contains(., "/Rect [ 249.75 560 407.25 599.75 ]")
11              )
12          )
13  )  
14attack_types:
15  - "Credential Phishing"
16tactics_and_techniques:
17  - "PDF"
18  - "Evasion"
19detection_methods:
20  - "File analysis"
21  - "Content analysis"
22id: "c936f7cc-6139-59d6-982d-26e9f523b143"
to-top