Spam: Unsolicited malformed PDF
This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.
Sublime rule (View on GitHub)
1name: "Spam: Unsolicited malformed PDF"
2description: "This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // body text is very short
8 and length(body.current_thread.text) < 50
9
10 // one attachment
11 and length(attachments) == 1
12
13 // attachment is named a pdf, but mime type doesn't match with high entropy
14 and any(attachments,
15 .file_type == "unknown"
16 and strings.ends_with(.file_name, "pdf")
17 and any(file.explode(.),
18 .flavors.mime in (
19 "application/octet-stream",
20 "application/marc"
21 )
22 and .scan.entropy.entropy >= 6
23 )
24 )
25 // a free email address was hyperlinked
26 and any(body.links,
27 .display_text is null and .href_url.url in $free_email_providers
28 )
29
30 // multiple freemail senders found in recipients.to
31 and length(filter(recipients.to,
32 .email.domain.root_domain in $free_email_providers
33 )
34 ) >= 3
35
36 // unsolicited and no false positives or previously flagged
37 and (
38 profile.by_sender().prevalence in ("new", "outlier")
39 or (
40 profile.by_sender().any_messages_malicious_or_spam
41 and not profile.by_sender().any_false_positives
42 )
43 )
44 and not profile.by_sender().any_false_positives
45
46
47attack_types:
48 - "Spam"
49tactics_and_techniques:
50 - "Evasion"
51 - "Free email provider"
52 - "PDF"
53detection_methods:
54 - "Content analysis"
55 - "File analysis"
56 - "Sender analysis"
57id: "f0c50031-8782-5f0a-aee0-68284651df63"