Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)

calendar May 3, 2024 · Malfam: Ave Maria  ·
Share on: linkedin copy

Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
 2description: |
 3    Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and any(ml.nlu_classifier(body.current_thread.text).entities, .name == "request")
 9  and any(attachments,
10          .file_extension == "pdf"
11          and any(file.explode(.),
12                  any(.scan.pdf.urls,
13                      regex.contains(.path, '\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b')
14                      and .domain.root_domain not in $tranco_1m
15                  )
16          )
17  )
18  and (
19    not profile.by_sender().solicited
20    or (
21      profile.by_sender().any_messages_malicious_or_spam
22      and not profile.by_sender().any_false_positives
23    )
24  )  
25tags:
26  - "Malfam: Ave Maria"
27attack_types:
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "PDF"
32detection_methods:
33  - "Archive analysis"
34  - "File analysis"
35  - "Sender analysis"
36id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"
to-top