Attachment: PDF with fake invoice using suspicious font sizing

calendar Jun 9, 2026  ยท
Share on: linkedin copy

PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes.

Sublime rule (View on GitHub)

 1name: "Attachment: PDF with fake invoice using suspicious font sizing"
 2description: "PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              any(.scan.yara.matches,
10                  .name == "pdf_fake_invoice_image_font_sizes"
11              )
12          )
13  )  
14attack_types:
15  - "BEC/Fraud"
16  - "Callback Phishing"
17tactics_and_techniques:
18  - "PDF"
19  - "Social engineering"
20detection_methods:
21  - "File analysis"
22  - "YARA"
23  - "Content analysis"
24id: "d7721177-8a36-56ef-9e1e-8a54c6a0409b"
to-top