Attachment: PDF with suspicious internal object reference identifier
Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file.
Sublime rule (View on GitHub)
1name: "Attachment: PDF with suspicious internal object reference identifier"
2description: "Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and any(filter(attachments, .file_type == "pdf"),
8 any(file.explode(.),
9 .depth == 0
10 and any(.scan.strings.strings,
11 strings.contains(., "[<C57237C22450666518136DE404118E5E>")
12 )
13 )
14 )
15attack_types:
16 - "BEC/Fraud"
17tactics_and_techniques:
18 - "PDF"
19detection_methods:
20 - "Content analysis"
21 - "File analysis"
22id: "f515376e-30f5-56df-86ac-403a0c892466"