Attachment: Suspicious PDF created with headless browser
Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation.
Sublime rule (View on GitHub)
1name: "Attachment: Suspicious PDF created with headless browser"
2description: "Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and (
8 // directly attached PDF
9 any(filter(attachments, .file_type == "pdf"),
10 any(file.explode(.), strings.contains(.scan.ocr.raw, 'TABLE OF CONTEN'))
11 // the Table of contents can be on another page
12 and any(file.explode(.),
13 regex.icontains(.scan.ocr.raw,
14 '(?:[\r\n]|^)+(?:\s*1\s*(?:\.|:))?\s*Introduction'
15 )
16 or strings.icontains(.scan.ocr.raw,
17 'marked in red'
18 )
19 )
20 and (
21 (
22 (
23 strings.icontains(beta.parse_exif(.).creator, 'HeadlessChrome')
24 or strings.icontains(beta.parse_exif(.).creator, 'Chromium')
25 )
26 and strings.icontains(beta.parse_exif(.).producer, 'Skia/PDF')
27 )
28 or (
29 any(beta.parse_exif(.).fields,
30 .key == "Creator"
31 and (.value == "" or strings.istarts_with(.value, 'wkhtmltopdf'))
32 )
33 and any(beta.parse_exif(.).fields,
34 .key == "Title"
35 and (.value == "" or .value in ('Company HandBook'))
36 )
37 and strings.istarts_with(beta.parse_exif(.).producer, 'QT ')
38 )
39 )
40 )
41 // or within an attached EML
42 or any(filter(attachments,
43 .content_type == "message/rfc822" or .file_extension == "eml"
44 ),
45 any(filter(file.parse_eml(.).attachments, .file_type == "pdf"),
46 any(file.explode(.),
47 strings.contains(.scan.ocr.raw, 'TABLE OF CONTEN')
48 )
49 // the Table of contents can be on another page
50 and any(file.explode(.),
51 regex.icontains(.scan.ocr.raw,
52 '(?:[\r\n]|^)+1\s*(\.|:)\s*Introduction'
53 )
54 )
55 and (
56 (
57 (
58 strings.icontains(beta.parse_exif(.).creator,
59 'HeadlessChrome'
60 )
61 or strings.icontains(beta.parse_exif(.).creator, 'Chromium')
62 )
63 and strings.icontains(beta.parse_exif(.).producer, 'Skia/PDF')
64 )
65 or (
66 any(beta.parse_exif(.).fields,
67 .key == "Creator"
68 and (
69 .value == ""
70 or strings.istarts_with(.value, 'wkhtmltopdf')
71 )
72 )
73 and any(beta.parse_exif(.).fields,
74 .key == "Title"
75 and (.value == "" or .value in ('Company HandBook'))
76 )
77 and strings.istarts_with(beta.parse_exif(.).producer, 'QT ')
78 )
79 )
80 )
81 )
82 )
83attack_types:
84 - "Credential Phishing"
85tactics_and_techniques:
86 - "Evasion"
87 - "PDF"
88detection_methods:
89 - "Content analysis"
90 - "Exif analysis"
91 - "File analysis"
92 - "Optical Character Recognition"
93id: "8f3108d7-e224-5bb0-81f4-e4f8506cfed3"