Attachment: PDF with a suspicious string and single URL
Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with a suspicious string and single URL"
2description: "Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 .file_type == "pdf"
9 // a single page pdf
10 and beta.parse_exif(.).page_count == 1
11 and any(file.explode(.),
12 // the pdf contains specific suspicious wording
13 // these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
14 any(.scan.strings.strings,
15 regex.icontains(.,
16 // action!
17 '^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message|CLICK HERE TO VIEW DOCUMENTS|VIEW FULL DOCUMENT HERE)\s*$',
18 // "secure fax"
19 'View Secure Fax',
20 // more fake errors
21 'It seems there was an issue opening the document. Please view it online.',
22 // fake adobe update
23 'Update Adobe Viewer',
24 // fake sharepoint wording
25 'Learn more about messages protected by Microsoft',
26 // fake encryption crap
27 'This document is protected by 256-bit encryption.',
28 // sent you a document
29 '.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
30 '^You received a \S+ to review and sign$',
31 // docusign
32 '\s*DocuSign Contract Under Review\s*',
33 'DOCUMENT PREVIEW',
34 'PREVIEW DOCUMENT',
35 'VIEW REMITTANCE COPY HERE',
36 'shared a file with you',
37 '(?:check your personal|view your) forecast',
38 'full new state pension'
39 )
40 )
41 // fake error messages
42 or (
43 'Error' in~ .scan.strings.strings
44 and any(.scan.strings.strings,
45 regex.icontains(., '^\s*(?:View Video)\s*$')
46 )
47 )
48 // really terse PDF with link
49 or (
50 length(.scan.strings.strings) == 1
51 and 'Some additional information here' in~ .scan.strings.strings
52 )
53 )
54 and any(file.explode(.),
55 .depth == 0
56 and (
57 length(filter(.scan.url.urls,
58 // remove mailto: links
59 not strings.istarts_with(.url, 'mailto:')
60 and not strings.istarts_with(.url, 'email:')
61 // remove links found in exiftool output producer/creator
62 and not any([
63 ..scan.exiftool.producer,
64 ..scan.exiftool.creator
65 ],
66 . is not null
67 and strings.icontains(.,
68 ..domain.domain
69 )
70 )
71 and not .domain.root_domain in ('pdf-tools.com')
72 and not .url in (
73 'https://gamma.app/?utm_source=made-with-gamma'
74 )
75 )
76 ) == 1
77 or
78 // there is only one unique domain
79 (
80 length(distinct(filter(.scan.url.urls,
81 // remove mailto: links
82 not strings.istarts_with(.url,
83 'mailto:'
84 )
85 and not strings.istarts_with(.url,
86 'email:'
87 )
88 // remove links found in exiftool output producer/creator
89 and not any([
90 ..scan.exiftool.producer,
91 ..scan.exiftool.creator
92 ],
93 . is not null
94 and strings.icontains(.,
95 ..domain.domain
96 )
97 )
98 and not .domain.root_domain in (
99 'pdf-tools.com'
100 )
101 and not .url in (
102 'https://gamma.app/?utm_source=made-with-gamma'
103 )
104 ),
105 .domain.domain
106 )
107 ) == 1
108 // all of them are in self_service
109 and all(distinct(filter(.scan.url.urls,
110 // remove mailto: links
111 not strings.istarts_with(.url,
112 'mailto:'
113 )
114 and not strings.istarts_with(.url,
115 'email:'
116 )
117 // remove links found in exiftool output producer/creator
118 and not any([
119 ..scan.exiftool.producer,
120 ..scan.exiftool.creator
121 ],
122 . is not null
123 and strings.icontains(.,
124 ..domain.domain
125 )
126 )
127 and not .domain.root_domain in (
128 'pdf-tools.com'
129 )
130 and not .url in (
131 'https://gamma.app/?utm_source=made-with-gamma'
132 )
133 ),
134 .domain.domain
135 ),
136 .domain.domain in $self_service_creation_platform_domains
137 or .domain.root_domain in $self_service_creation_platform_domains
138 )
139 )
140 )
141 )
142 )
143attack_types:
144 - "Credential Phishing"
145tactics_and_techniques:
146 - "PDF"
147 - "Social engineering"
148 - "Evasion"
149detection_methods:
150 - "Content analysis"
151 - "File analysis"
152 - "URL analysis"
153 - "Exif analysis"
154id: "3bdbb7ad-ca08-546a-ac20-309bef95779a"