Attachment: PDF with a suspicious string and single URL

name: "Attachment: PDF with a suspicious string and single URL"
description: "Detects single-page PDF attachments containing suspicious language such as 'View Document' or 'View PDF' along with exactly one URL, commonly used in credential theft attacks."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          .file_type == "pdf"
          // a single page pdf
          and beta.parse_exif(.).page_count == 1
          and any(filter(file.explode(.), .depth == 1),
                  // the pdf contains specific suspicious wording
                  // these are exact matches when split on new lines extracted from the text of the PDF from the scanPDF scanner
                  any(.scan.strings.strings,
                      regex.icontains(.,
                                      // action!
                                      '^\s*(?:view documents?|view pdf|view presentation|preview new docusign|Download Secure PDF|VIEW DOCUMENT HERE|ACCESS DOCUMENT|REVIEW NEW SECURE DOCUMENT|OPEN SECURE VIEWER|DOWNLOAD RFP DOCUMENT|View Dashboard here|ACCESS SECURE DOCUMENTS|VIEW PROPOSAL DOCUMENTS|ACCESS / VIEW PROPOSAL DOCUMENT|Review & Sign Document|Open PDF|Access Document\(s\)|(?:P?RE)?VIEW SHARED DOCUMENT|New Secured Document|ACCESS SECURE RFP PORTAL|Please Review and Sign|Review and Validate|SECURE DOCUMENT|Open Document|View Details|Q!_Compensation/Salary Amendments\.pptx|PREVIEW DOCUMENT HERE|Download Tax Details Below:|Review and Sign Document|Review Document|Open Encrypted|OPEN DOCUMENT HERE|Click to read message)\s*$',
                                      // "secure fax"
                                      'View Secure Fax',
                                      // more fake errors
                                      'It seems there was an issue opening the document. Please view it online.',
                                      // fake adobe update
                                      'Update Adobe Viewer',
                                      // fake sharepoint wording
                                      'Learn more about messages protected by Microsoft',
                                      // fake encryption crap
                                      'This document is protected by 256-bit encryption.',
                                      // sent you a document
                                      '.*sent you a \S+ to review(?:\s*(?:and|&)\s*sign)$',
                                      '^You received a \S+ to review and sign$',
                                      // docusign
                                      '\s*DocuSign Contract Under Review\s*',
                                      'DOCUMENT PREVIEW',
                                      'PREVIEW DOCUMENT'
                      )
                  )
                  // fake error messages
                  or (
                    'Error' in~ .scan.strings.strings
                    and any(.scan.strings.strings,
                            regex.icontains(., '^\s*(?:View Video)\s*$')
                    )
                  )
                  // really terse PDF with link
                  or (
                    length(.scan.strings.strings) == 1
                    and 'Some additional information here' in~ .scan.strings.strings
                  )
          )
          and any(file.explode(.), .depth == 0 and length(.scan.url.urls) == 1)
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "PDF"
  - "Social engineering"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "URL analysis"
  - "Exif analysis"
id: "3bdbb7ad-ca08-546a-ac20-309bef95779a"