Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
 2description: |
 3    Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any([body.plain.raw, body.html.inner_text],
 9          any(ml.nlu_classifier(.).entities, .name == "request")
10  )
11  and any(attachments,
12          .file_extension == "pdf"
13          and any(file.explode(.),
14                  any(.scan.pdf.urls,
15                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
16                      and .domain.root_domain not in $tranco_1m
17                  )
18          )
19  )
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )  
27tags:
28  - "Malfam: Ave Maria"
29attack_types:
30  - "Malware/Ransomware"
31tactics_and_techniques:
32  - "Evasion"
33  - "PDF"
34detection_methods:
35  - "Archive analysis"
36  - "File analysis"
37  - "Sender analysis"
38id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
to-top