Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

calendar Jan 12, 2026 · Malfam: Ave Maria  ·
Share on: linkedin copy

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
 2description: |
 3    Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).entities,
 9          .name == "request"
10  )
11  and any(attachments,
12          .file_extension == "pdf"
13          and any(file.explode(.),
14                  any(.scan.pdf.urls,
15                      regex.contains(.path,
16                                     '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b'
17                      )
18                      and .domain.root_domain not in $tranco_1m
19                  )
20          )
21  )
22  and (
23    not profile.by_sender().solicited
24    or (
25      profile.by_sender().any_messages_malicious_or_spam
26      and not profile.by_sender().any_messages_benign
27    )
28  )  
29tags:
30  - "Malfam: Ave Maria"
31attack_types:
32  - "Malware/Ransomware"
33tactics_and_techniques:
34  - "Evasion"
35  - "PDF"
36detection_methods:
37  - "Archive analysis"
38  - "File analysis"
39  - "Sender analysis"
40id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
to-top