sublimelowRule

Attachment: PDF generated with wkhtmltopdf tool and default title

Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes.

MITRE ATT&CK

T1566.002 T1534 T1656 T1566.003 T1598 T1566 T1566.001 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_extension == "pdf"),
        strings.istarts_with(beta.parse_exif(.).producer, "Qt")
        and strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
        and beta.parse_exif(.).title == "Document"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Tags

Attack surface reduction

Raw Content

name: "Attachment: PDF generated with wkhtmltopdf tool and default title"
description: "Detects PDF attachments that were generated using the wkhtmltopdf conversion tool, which converts HTML/CSS to PDF. This tool is commonly used by attackers to create legitimate-looking PDF documents from web content for social engineering purposes."
type: "rule"
severity: "low"
source: |
  type.inbound
  and any(filter(attachments, .file_extension == "pdf"),
          strings.istarts_with(beta.parse_exif(.).producer, "Qt")
          and strings.icontains(beta.parse_exif(.).creator, "wkhtmltopdf")
          and beta.parse_exif(.).title == "Document"
  )

attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
  - "Credential Phishing"
  - "Malware/Ransomware"
tags:
 - "Attack surface reduction"
tactics_and_techniques:
  - "PDF"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "Exif analysis"
id: "64e6c8a8-b75b-5c43-acb8-765ce05dca36"