Attachment: Suspicious PDF Created With Headless Browser

calendar Jun 9, 2025  ·
Share on: linkedin copy

Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation.

Sublime rule (View on GitHub)

 1name: "Attachment: Suspicious PDF Created With Headless Browser"
 2description: "Detects PDF documents containing a table of contents that were generated using HeadlessChrome, Chromium with Skia/PDF, or QT with empty metadata fields - common characteristics of automated malicious document creation."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(attachments, .file_type == "pdf"),
 8          any(file.explode(.),
 9              strings.contains(.scan.ocr.raw, 'TABLE OF CONTENTS')
10          )
11          // the action Table of contents can be on another page
12          and any(file.explode(.),
13                  regex.icontains(.scan.ocr.raw, '(?:[\r\n]|^)+1\s*(\.|:)\s*Introduction')
14          )
15          and (
16            (
17              (
18                strings.icontains(beta.parse_exif(.).creator, 'HeadlessChrome')
19                or strings.icontains(beta.parse_exif(.).creator, 'Chromium')
20              )
21              and strings.icontains(beta.parse_exif(.).producer, 'Skia/PDF')
22            )
23            or (
24              any(beta.parse_exif(.).fields, .key == "Creator" and .value == "")
25              and any(beta.parse_exif(.).fields, .key == "Title" and .value == "")
26              and strings.istarts_with(beta.parse_exif(.).producer, 'QT ')
27            )
28          )
29  )  
30
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Evasion"
35  - "PDF"
36detection_methods:
37  - "Content analysis"
38  - "Exif analysis"
39  - "File analysis"
40  - "Optical Character Recognition"
41id: "8f3108d7-e224-5bb0-81f4-e4f8506cfed3"
to-top