Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
 2description: |
 3    Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
 9  and any(attachments,
10          .file_extension == "pdf"
11          and any(file.explode(.),
12                  any(.scan.pdf.urls,
13                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
14                      and .domain.root_domain not in $tranco_1m
15                  )
16          )
17  )
18  and (
19    not profile.by_sender().solicited
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )  
25tags:
26  - "Malfam: Ave Maria"
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "PDF"
32detection_methods:
33  - "Archive analysis"
34  - "File analysis"
35  - "Sender analysis"
36id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
to-top