Attachment: PDF with ReportLab library and default metadata

calendar Feb 27, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with ReportLab library and default metadata"
 2description: "Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          beta.parse_exif(.).producer == "ReportLab PDF Library - (opensource)"
 9          and beta.parse_exif(.).title == "untitled"
10          and beta.parse_exif(.).creator == "anonymous"
11          and any(beta.parse_exif(.).fields,
12                  .key == "Subject" and .value == "unspecified"
13          )
14          and beta.parse_exif(.).author == "anonymous"
15  )   
16tags:
17  - "Attack surface reduction"
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "PDF"
22  - "Evasion"
23detection_methods:
24  - "File analysis"
25  - "Exif analysis"
26id: "7094bfdd-6a6c-50fa-9d00-ac00609d4312"

Related rules

to-top