sublimemediumRule

Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification

Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators.

MITRE ATT&CK

T1566.001 T1204.002 T1486 T1036 T1027

defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_type == "pdf"),
        any(file.explode(.),
            .scan.pdf_obj_hash.object_hash == "63bf167b66091a4bc53e8944a76f6b08"
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification"
description: "Detects PDF attachments containing a specific object hash (63bf167b66091a4bc53e8944a76f6b08) that may indicate malicious content or known threat indicators."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_type == "pdf"),
          any(file.explode(.),
              .scan.pdf_obj_hash.object_hash == "63bf167b66091a4bc53e8944a76f6b08"
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "PDF"
  - "Evasion"
detection_methods:
  - "File analysis"
  - "Threat intelligence"
id: "a8a19bae-db78-5d93-b333-41607b82c256"