Attachment: PDF with a suspicious string and single URL

 1name: "Attachment: PDF with a suspicious string and single URL"
 2description: "Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "pdf"
 9          // a single page pdf
10          and beta.parse_exif(.).page_count == 1
11          and any(file.explode(.),
12                  // the pdf contains specific suspicious wording
13                  // these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
14                  any(.scan.strings.strings,
15                      regex.icontains(.,
16                                      // action!
17                                      '^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message)\s*$',
18                                      // "secure fax"
19                                      'View Secure Fax',
20                                      // more fake errors
21                                      'It seems there was an issue opening the document. Please view it online.',
22                                      // fake adobe update
23                                      'Update Adobe Viewer',
24                                      // fake sharepoint wording
25                                      'Learn more about messages protected by Microsoft',
26                                      // fake encryption crap
27                                      'This document is protected by 256-bit encryption.',
28                                      // sent you a document
29                                      '.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
30                                      '^You received a \S+ to review and sign$',
31                                      // docusign
32                                      '\s*DocuSign Contract Under Review\s*',
33                                      'DOCUMENT PREVIEW',
34                                      'PREVIEW DOCUMENT',
35                                      'VIEW REMITTANCE COPY HERE',
36                                      'shared a file with you',
37                                      'check your personal forecast',
38                      )
39                  )
40                  // fake error messages
41                  or (
42                    'Error' in~ .scan.strings.strings
43                    and any(.scan.strings.strings,
44                            regex.icontains(., '^\s*(?:View Video)\s*$')
45                    )
46                  )
47                  // really terse PDF with link
48                  or (
49                    length(.scan.strings.strings) == 1
50                    and 'Some additional information here' in~ .scan.strings.strings
51                  )
52          )
53          and any(file.explode(.), .depth == 0 and length(.scan.url.urls) == 1)
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "PDF"
59  - "Social engineering"
60  - "Evasion"
61detection_methods:
62  - "Content analysis"
63  - "File analysis"
64  - "URL analysis"
65  - "Exif analysis"
66id: "3bdbb7ad-ca08-546a-ac20-309bef95779a"