← Back to Explore
sublimelowRule
Attachment: PDF with ReportLab library and default metadata
Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities.
Detection Query
type.inbound
and any(attachments,
beta.parse_exif(.).producer == "ReportLab PDF Library - (opensource)"
and beta.parse_exif(.).title == "untitled"
and beta.parse_exif(.).creator == "anonymous"
and any(beta.parse_exif(.).fields,
.key == "Subject" and .value == "unspecified"
)
and beta.parse_exif(.).author == "anonymous"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Tags
Attack surface reduction
Raw Content
name: "Attachment: PDF with ReportLab library and default metadata"
description: "Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities."
type: "rule"
severity: "low"
source: |
type.inbound
and any(attachments,
beta.parse_exif(.).producer == "ReportLab PDF Library - (opensource)"
and beta.parse_exif(.).title == "untitled"
and beta.parse_exif(.).creator == "anonymous"
and any(beta.parse_exif(.).fields,
.key == "Subject" and .value == "unspecified"
)
and beta.parse_exif(.).author == "anonymous"
)
tags:
- "Attack surface reduction"
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Evasion"
detection_methods:
- "File analysis"
- "Exif analysis"
id: "7094bfdd-6a6c-50fa-9d00-ac00609d4312"