Spam: Unsolicited malformed PDF

 1name: "Spam: Unsolicited malformed PDF"
 2description: "This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // body text is very short
 8  and length(body.current_thread.text) < 50
 9  
10  // one attachment
11  and length(attachments) == 1
12  
13  // attachment is named a pdf, but mime type doesn't match with high entropy
14  and any(attachments,
15          .file_type == "unknown"
16          and strings.ends_with(.file_name, "pdf")
17          and any(file.explode(.),
18                  .flavors.mime in (
19                    "application/octet-stream",
20                    "application/marc"
21                  )
22                  and .scan.entropy.entropy >= 6
23          )
24  )
25  // a free email address was hyperlinked 
26  and any(body.links,
27          .display_text is null and .href_url.url in $free_email_providers
28  )
29  
30  // multiple freemail senders found in recipients.to
31  and length(filter(recipients.to,
32                    .email.domain.root_domain in $free_email_providers
33             )
34  ) >= 3
35  
36  // unsolicited and no false positives or previously flagged
37  and (
38    profile.by_sender().prevalence in ("new", "outlier")
39    or (
40      profile.by_sender().any_messages_malicious_or_spam
41      and not profile.by_sender().any_false_positives
42    )
43  )
44  and not profile.by_sender().any_false_positives
45    
46
47attack_types:
48  - "Spam"
49tactics_and_techniques:
50  - "Evasion"
51  - "Free email provider"
52  - "PDF"
53detection_methods:
54  - "Content analysis"
55  - "File analysis"
56  - "Sender analysis"
57id: "f0c50031-8782-5f0a-aee0-68284651df63"