Attachment: PDF with a suspicious string and single URL

Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks.

Sublime rule (View on GitHub)

  1name: "Attachment: PDF with a suspicious string and single URL"
  2description: "Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and any(attachments,
  8          .file_type == "pdf"
  9          // a single page pdf
 10          and beta.parse_exif(.).page_count == 1
 11          and any(file.explode(.),
 12                  // the pdf contains specific suspicious wording
 13                  // these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
 14                  any(.scan.strings.strings,
 15                      regex.icontains(.,
 16                                      // action!
 17                                      '^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message|CLICK HERE TO VIEW DOCUMENTS|VIEW FULL DOCUMENT HERE)\s*$',
 18                                      // "secure fax"
 19                                      'View Secure Fax',
 20                                      // more fake errors
 21                                      'It seems there was an issue opening the document. Please view it online.',
 22                                      // fake adobe update
 23                                      'Update Adobe Viewer',
 24                                      // fake sharepoint wording
 25                                      'Learn more about messages protected by Microsoft',
 26                                      // fake encryption crap
 27                                      'This document is protected by 256-bit encryption.',
 28                                      // sent you a document
 29                                      '.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
 30                                      '^You received a \S+ to review and sign$',
 31                                      // docusign
 32                                      '\s*DocuSign Contract Under Review\s*',
 33                                      'DOCUMENT PREVIEW',
 34                                      'PREVIEW DOCUMENT',
 35                                      'VIEW REMITTANCE COPY HERE',
 36                                      'shared a file with you',
 37                                      '(?:check your personal|view your) forecast',
 38                                      'full new state pension'
 39                      )
 40                  )
 41                  // fake error messages
 42                  or (
 43                    'Error' in~ .scan.strings.strings
 44                    and any(.scan.strings.strings,
 45                            regex.icontains(., '^\s*(?:View Video)\s*$')
 46                    )
 47                  )
 48                  // really terse PDF with link
 49                  or (
 50                    length(.scan.strings.strings) == 1
 51                    and 'Some additional information here' in~ .scan.strings.strings
 52                  )
 53          )
 54          and any(file.explode(.),
 55                  .depth == 0
 56                  and (
 57                    length(filter(.scan.url.urls,
 58                                  // remove mailto: links
 59                                  not strings.istarts_with(.url, 'mailto:')
 60                                  and not strings.istarts_with(.url, 'email:')
 61                                  // remove links found in exiftool output producer/creator
 62                                  and not any([
 63                                                ..scan.exiftool.producer,
 64                                                ..scan.exiftool.creator
 65                                              ],
 66                                              . is not null
 67                                              and strings.icontains(.,
 68                                                                    ..domain.domain
 69                                              )
 70                                  )
 71                                  and not .domain.root_domain in ('pdf-tools.com')
 72                                  and not .url in (
 73                                    'https://gamma.app/?utm_source=made-with-gamma'
 74                                  )
 75                           )
 76                    ) == 1
 77                    or 
 78                    // there is only one unique domain
 79                    (
 80                      length(distinct(filter(.scan.url.urls,
 81                                             // remove mailto: links
 82                                             not strings.istarts_with(.url,
 83                                                                      'mailto:'
 84                                             )
 85                                             and not strings.istarts_with(.url,
 86                                                                          'email:'
 87                                             )
 88                                             // remove links found in exiftool output producer/creator
 89                                             and not any([
 90                                                           ..scan.exiftool.producer,
 91                                                           ..scan.exiftool.creator
 92                                                         ],
 93                                                         . is not null
 94                                                         and strings.icontains(.,
 95                                                                               ..domain.domain
 96                                                         )
 97                                             )
 98                                             and not .domain.root_domain in (
 99                                               'pdf-tools.com'
100                                             )
101                                             and not .url in (
102                                               'https://gamma.app/?utm_source=made-with-gamma'
103                                             )
104                                      ),
105                                      .domain.domain
106                             )
107                      ) == 1
108                      // all of them are in self_service
109                      and all(distinct(filter(.scan.url.urls,
110                                              // remove mailto: links
111                                              not strings.istarts_with(.url,
112                                                                       'mailto:'
113                                              )
114                                              and not strings.istarts_with(.url,
115                                                                           'email:'
116                                              )
117                                              // remove links found in exiftool output producer/creator
118                                              and not any([
119                                                            ..scan.exiftool.producer,
120                                                            ..scan.exiftool.creator
121                                                          ],
122                                                          . is not null
123                                                          and strings.icontains(.,
124                                                                                ..domain.domain
125                                                          )
126                                              )
127                                              and not .domain.root_domain in (
128                                                'pdf-tools.com'
129                                              )
130                                              and not .url in (
131                                                'https://gamma.app/?utm_source=made-with-gamma'
132                                              )
133                                       ),
134                                       .domain.domain
135                              ),
136                              .domain.domain in $self_service_creation_platform_domains
137                              or .domain.root_domain in $self_service_creation_platform_domains
138                      )
139                    )
140                  )
141          )
142  )  
143attack_types:
144  - "Credential Phishing"
145tactics_and_techniques:
146  - "PDF"
147  - "Social engineering"
148  - "Evasion"
149detection_methods:
150  - "Content analysis"
151  - "File analysis"
152  - "URL analysis"
153  - "Exif analysis"
154id: "3bdbb7ad-ca08-546a-ac20-309bef95779a"
to-top