Attachment: PDF contains W9 or invoice YARA signatures

calendar Feb 4, 2026  ·
Share on: linkedin copy

PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF contains W9 or invoice YARA signatures"
 2description: "PDF attachment contains YARA signatures commonly associated with fraudulent W9 tax forms or invoice documents, which are frequently used in social engineering attacks to steal sensitive information or facilitate business email compromise."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches, .name in ("w9_pdf_01", "invoice_pdf_01"))
10          )
11  )  
12attack_types:
13  - "BEC/Fraud"
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "PDF"
17  - "Social engineering"
18detection_methods:
19  - "File analysis"
20  - "YARA"
21id: "9a8e8a98-34a6-5cdc-b151-d4eff3322f23"
to-top