Attachment: PDF with suspicious internal object reference identifier

Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with suspicious internal object reference identifier"
 2description: "Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              .depth == 0
10              and any(.scan.strings.strings,
11                      strings.contains(., "[<C57237C22450666518136DE404118E5E>")
12              )
13          )
14  )  
15attack_types:
16  - "BEC/Fraud"
17tactics_and_techniques:
18  - "PDF"
19detection_methods:
20  - "Content analysis"
21  - "File analysis"
22id: "f515376e-30f5-56df-86ac-403a0c892466"
to-top