sublimehighRule

Attachment: PDF with JSFck obfuscation

PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: []()!+ which is often used to evade detection by security tools.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            .depth == 0
            and any(.scan.yara.matches,
                    .name in ("pdf_jsfck_strings", "pdf_jsfck_ratio")
            )
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: PDF with JSFck obfuscation"
description: "PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: []()!+ which is often used to evade detection by security tools."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          any(file.explode(.),
              .depth == 0
              and any(.scan.yara.matches,
                      .name in ("pdf_jsfck_strings", "pdf_jsfck_ratio")
              )
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "PDF"
detection_methods:
  - "File analysis"
  - "YARA"
id: "25af625c-2e3c-5bf9-ae33-8061df95f607"