Attachment: PDF with split QR code

calendar Apr 15, 2026  ·
Share on: linkedin copy

Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with split QR code"
 2description: "Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  // yara rules match on "split" QR codes that are 290x290, 300x300, 370x370 and placed close to eachtoher in the PDF
11                  strings.istarts_with(.name, 'Phishing_PDF_Split_QR_Code_Pair')
12              )
13          )
14  )  
15attack_types:
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Evasion"
19  - "PDF"
20  - "QR code"
21detection_methods:
22  - "File analysis"
23  - "YARA"
24  - "QR code analysis"
25id: "b6889ea1-522b-5410-8ccf-ce261fa1fd5f"
to-top