Suspicious Attachment: Duplicate decoy PDF files

calendar Aug 2, 2024  ·
Share on: linkedin copy

This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks.

Sublime rule (View on GitHub)

 1name: "Suspicious Attachment: Duplicate decoy PDF files"
 2description: "This rule identifies messages that contain duplicate PDF attachments, defined as either having identical filenames or matching MD5 hash values. Furthermore, the PDF files in question must lack any readable text and must not include hyperlinks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) > 1
 8  and all(attachments, .file_type == "pdf")
 9  and (
10    length(distinct(attachments, .file_name)) == 1
11    or length(distinct(attachments, .md5)) == 1
12  )
13  and all(attachments,
14          .file_type == "pdf"
15          and any(file.explode(.),
16                  .depth == 0
17                  and (
18                    length(.scan.url.urls) > 0
19                    or length(.scan.pdf.urls) > 0
20                    or length(body.links) > 0
21                  )
22                  and .scan.ocr.raw is null
23          )
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29  - "PDF"
30detection_methods:
31  - "File analysis"
32  - "Optical Character Recognition"
33id: "79b9b2e7-295f-59d2-97fb-4f5fe13bc869"
to-top