Attachment: PDF generated with wkhtmltopdf tool and default title
Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.
Sublime rule (View on GitHub)
1name: "Attachment: PDF generated with wkhtmltopdf tool and default title"
2description: "Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and any(filter(attachments, .file_extension == "pdf"),
8 strings.istarts_with(beta.parse_exif(.).producer, "Qt")
9 and strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
10 and beta.parse_exif(.).title == "Document"
11 )
12
13attack_types:
14 - "BEC/Fraud"
15 - "Callback Phishing"
16 - "Credential Phishing"
17 - "Malware/Ransomware"
18tags:
19 - "Attack surface reduction"
20tactics_and_techniques:
21 - "PDF"
22 - "Evasion"
23detection_methods:
24 - "File analysis"
25 - "Exif analysis"
26id: "64e6c8a8-b75b-5c43-acb8-765ce05dca36"