Attachment: PDF with suspicious view document characteristics

calendar Apr 23, 2026  ยท
Share on: linkedin copy

PDF attachment contains suspicious characteristics commonly associated with document viewing lures, as detected by YARA pattern matching.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with suspicious view document characteristics"
 2description: "PDF attachment contains suspicious characteristics commonly associated with document viewing lures, as detected by YARA pattern matching."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  .name == "view_document_pdf_characteristics"
11              )
12          )
13  )  
14attack_types:
15  - "Credential Phishing"
16  - "Malware/Ransomware"
17tactics_and_techniques:
18  - "PDF"
19  - "Social engineering"
20  - "Evasion"
21detection_methods:
22  - "File analysis"
23  - "YARA"
24id: "8b2ec902-929b-56d2-82ff-869767bb3eff"
to-top