← Back to Explore
sublimehighRule
Attachment: Soda PDF producer with encryption themes
Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page.
Detection Query
type.inbound
and any(attachments,
.file_extension == "pdf"
// observed producer
and any(file.explode(.), .scan.exiftool.producer == "Soda PDF")
and any(file.explode(.),
// OCR contains "encryption" themes
(
strings.icontains(.scan.ocr.raw, "has been encrypted")
or strings.icontains(.scan.ocr.raw, "encrypted pdf file")
or strings.icontains(.scan.ocr.raw, "is secured by")
)
// mentions a PDF
and strings.contains(.scan.ocr.raw, "PDF")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Soda PDF producer with encryption themes"
description: "Detects an observed TTP of using Soda PDF (which offers a free trial) to produce PDFs which OCR output contains references to encryption and mentions a PDF. The PDF contains a single link which has been observed linking to a credential phishing page."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_extension == "pdf"
// observed producer
and any(file.explode(.), .scan.exiftool.producer == "Soda PDF")
and any(file.explode(.),
// OCR contains "encryption" themes
(
strings.icontains(.scan.ocr.raw, "has been encrypted")
or strings.icontains(.scan.ocr.raw, "encrypted pdf file")
or strings.icontains(.scan.ocr.raw, "is secured by")
)
// mentions a PDF
and strings.contains(.scan.ocr.raw, "PDF")
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "PDF"
- "Social engineering"
detection_methods:
- "File analysis"
- "Optical Character Recognition"
id: "af8eeca4-825a-5118-bba0-ab62425a5fcb"