Attachment: Python generated PDF with link

calendar Feb 7, 2024  ·
Share on: linkedin copy

The PDF attachment was created with a Python-based script. The PDF attachment also contains one or more links. These techniques were used by PikaBot, among others.

Sublime rule (View on GitHub)

 1name: "Attachment: Python generated PDF with link"
 2description: |
 3    The PDF attachment was created with a Python-based script. The PDF attachment also contains one or more links. These techniques were used by PikaBot, among others.
 4references:
 5  - Internal Research
 6authors:
 7  - twitter: "affje0x65"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12     // and profile.by_sender().prevalence in ("new", "outlier")
13  and any(attachments,.file_extension == "pdf" and
14     any(file.explode(.),
15     any(.scan.strings.strings, 
16          // create the raw PDF from code with this tools
17          strings.ilike(., "*ReportLab*", "*pypdf*", "*pypdf2", "*pikepdf*", "*PyMuPDF*", "*IronPDF*")
18          // create an intermediate format and convert it to PDF
19          or strings.ilike(., "*pdfkit*", "*xhtml2pdf*", "*pdflatex*")
20          // image to pdf
21          or strings.ilike(., "*img2pdf*", "*sphinxcontrib-svg2pdfconverter*")
22      )
23  ) and any(file.explode(.),
24       length(.scan.url.urls) < 0
25      )      
26  )   
27tactics_and_techniques:
28  - "Evasion"
29  - "PDF"
30detection_methods:
31  - "File analysis"
32  
33id: "2fec884d-71f4-58ae-82ce-e3ca5bf65109"
to-top