← Back to Explore
sublimemediumRule
Attachment: PDF with split QR code
Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft.
Detection Query
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
// yara rules match on "split" QR codes that are 290x290, 300x300, 370x370 and placed close to eachtoher in the PDF
strings.istarts_with(.name, 'Phishing_PDF_Split_QR_Code_Pair')
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: PDF with split QR code"
description: "Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(filter(attachments, .file_type == "pdf"),
any(file.explode(.),
any(.scan.yara.matches,
// yara rules match on "split" QR codes that are 290x290, 300x300, 370x370 and placed close to eachtoher in the PDF
strings.istarts_with(.name, 'Phishing_PDF_Split_QR_Code_Pair')
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "PDF"
- "QR code"
detection_methods:
- "File analysis"
- "YARA"
- "QR code analysis"
id: "b6889ea1-522b-5410-8ccf-ce261fa1fd5f"