Attachment: PDF with a suspicious string and single URL

calendar Mar 2, 2026  ·
Share on: linkedin copy

Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with a suspicious string and single URL"
 2description: "Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          // a single page pdf
10          and beta.parse_exif(.).page_count == 1
11          and any(filter(file.explode(.), .depth == 1),
12                  // the pdf contains specific suspicious wording
13                  // these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
14                  any(.scan.strings.strings,
15                      regex.icontains(.,
16                                      // action!
17                                      '^\s*(?:view documents?|view pdf|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|REVIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message)\s*$',
18                                      // "secure fax"
19                                      'View Secure Fax',
20                                      // more fake errors
21                                      'It seems there was an issue opening the document. Please view it online.',
22                                      // fake adobe update
23                                      'Update Adobe Viewer',
24                                      // fake sharepoint wording
25                                      'Learn more about messages protected by Microsoft',
26                                      // fake encryption crap
27                                      'This document is protected by 256-bit encryption.',
28                                      // sent you a document
29                                      '.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
30                                      '^You received a \S+ to review and sign$',
31                                      // docusign
32                                      '\s*DocuSign Contract Under Review\s*'
33                      )
34                  )
35                  // fake error messages
36                  or (
37                    'Error' in~ .scan.strings.strings
38                    and any(.scan.strings.strings,
39                            regex.icontains(., '^\s*(?:View Video)\s*$')
40                    )
41                  )
42                  // really terse PDF with link
43                  or (
44                    length(.scan.strings.strings) == 1
45                    and 'Some additional information here' in~ .scan.strings.strings
46                  )
47          )
48          and any(file.explode(.), .depth == 0 and length(.scan.url.urls) == 1)
49  )  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "PDF"
54  - "Social engineering"
55  - "Evasion"
56detection_methods:
57  - "Content analysis"
58  - "File analysis"
59  - "URL analysis"
60  - "Exif analysis"
61id: "3bdbb7ad-ca08-546a-ac20-309bef95779a"
to-top