Attachment: PDF with suspicious HeadlessChrome metadata

 1name: "Attachment: PDF with suspicious HeadlessChrome metadata"
 2description: "Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_extension == "pdf"),
 8          strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
 9          and beta.parse_exif(.).page_count == 1
10          and (
11            // MD5 filename, 32 hex chars and .html
12            regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
13            or 
14            // about:blank and Windows HeadlessChrome 
15            (
16              beta.parse_exif(.).title == "about:blank"
17              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
18              and strings.icontains(beta.parse_exif(.).creator, "Windows")
19            )
20          )
21          and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
22  )
23  and not (
24    sender.email.domain.root_domain in (
25      "guardtek.net",
26      "gominis.com",
27      "aglgroup.com",
28      "truckerzoom.com"
29    )
30    and coalesce(headers.auth_summary.dmarc.pass, false)
31  )  
32tags:
33- "Attack surface reduction"
34attack_types:
35  - "Credential Phishing"
36  - "Malware/Ransomware"
37tactics_and_techniques:
38  - "Evasion"
39  - "PDF"
40detection_methods:
41  - "File analysis"
42  - "Exif analysis"
43id: "eda99b1d-5639-57a0-860e-2d55b7f3b84f"