← Back to Explore
sublimemediumRule
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
Detection Query
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.path,
'\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b'
)
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Malfam: Ave Maria
Raw Content
name: "Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)"
description: |
Detects messages with PDF attachments linking directly to suspicious filetypes on hosts with low reputation from unsolicited senders.
type: "rule"
severity: "medium"
source: |
type.inbound
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "request"
)
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.),
any(.scan.pdf.urls,
regex.contains(.path,
'\.(?:exe|cab|vbs|ps1|rar|iso|dll|one|lnk|sh)\b'
)
and .domain.root_domain not in $tranco_1m
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
tags:
- "Malfam: Ave Maria"
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
- "PDF"
detection_methods:
- "Archive analysis"
- "File analysis"
- "Sender analysis"
id: "6144f880-a4f0-5776-b7cc-2f89d3bb5000"