Attachment: Suspicious PDF created with headless browser

 1name: "Attachment: Suspicious PDF created with headless browser"
 2description: "Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    // directly attached PDF
 9    any(filter(attachments, .file_type == "pdf"),
10        any(file.explode(.), strings.contains(.scan.ocr.raw, 'TABLE OF CONTEN'))
11        // the Table of contents can be on another page
12        and any(file.explode(.),
13              regex.icontains(.scan.ocr.raw,
14                              '(?:[\r\n]|^)+(?:\s*1\s*(?:\.|:))?\s*Introduction'
15              )
16              or strings.icontains(.scan.ocr.raw,
17                              'marked in red'
18              )
19        )
20        and (
21          (
22            (
23              strings.icontains(beta.parse_exif(.).creator, 'HeadlessChrome')
24              or strings.icontains(beta.parse_exif(.).creator, 'Chromium')
25            )
26            and strings.icontains(beta.parse_exif(.).producer, 'Skia/PDF')
27          )
28          or (
29            any(beta.parse_exif(.).fields,
30                .key == "Creator"
31                and (.value == "" or strings.istarts_with(.value, 'wkhtmltopdf'))
32            )
33            and any(beta.parse_exif(.).fields,
34                    .key == "Title"
35                    and (.value == "" or .value in ('Company HandBook'))
36            )
37            and strings.istarts_with(beta.parse_exif(.).producer, 'QT ')
38          )
39        )
40    )
41    // or within an attached EML
42    or any(filter(attachments,
43                  .content_type == "message/rfc822" or .file_extension == "eml"
44           ),
45           any(filter(file.parse_eml(.).attachments, .file_type == "pdf"),
46               any(file.explode(.),
47                   strings.contains(.scan.ocr.raw, 'TABLE OF CONTEN')
48               )
49               // the Table of contents can be on another page
50               and any(file.explode(.),
51                       regex.icontains(.scan.ocr.raw,
52                                       '(?:[\r\n]|^)+1\s*(\.|:)\s*Introduction'
53                       )
54               )
55               and (
56                 (
57                   (
58                     strings.icontains(beta.parse_exif(.).creator,
59                                       'HeadlessChrome'
60                     )
61                     or strings.icontains(beta.parse_exif(.).creator, 'Chromium')
62                   )
63                   and strings.icontains(beta.parse_exif(.).producer, 'Skia/PDF')
64                 )
65                 or (
66                   any(beta.parse_exif(.).fields,
67                       .key == "Creator"
68                       and (
69                         .value == ""
70                         or strings.istarts_with(.value, 'wkhtmltopdf')
71                       )
72                   )
73                   and any(beta.parse_exif(.).fields,
74                           .key == "Title"
75                           and (.value == "" or .value in ('Company HandBook'))
76                   )
77                   and strings.istarts_with(beta.parse_exif(.).producer, 'QT ')
78                 )
79               )
80           )
81    )
82  )  
83attack_types:
84  - "Credential Phishing"
85tactics_and_techniques:
86  - "Evasion"
87  - "PDF"
88detection_methods:
89  - "Content analysis"
90  - "Exif analysis"
91  - "File analysis"
92  - "Optical Character Recognition"
93id: "8f3108d7-e224-5bb0-81f4-e4f8506cfed3"