EXPLORE
Sign In
← Back to Explore
sublimehighRule

Attachment: PDF file with embedded content

Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.

MITRE ATT&CK

T1566.001T1204.002T1486

Detection Query

type.inbound
and (
  (
    sender.email.domain.root_domain in $free_email_providers
    and sender.email.email not in $recipient_emails
  )
  or (
    sender.email.domain.root_domain not in $free_email_providers
    and sender.email.domain.domain not in $recipient_domains
  )
)
and any(attachments,
        (
          .file_extension == "pdf"
          and any(file.explode(.),
                  any(.flavors.yara,
                      . in (
                        "iso_file",
                        "vb_file",
                        "base64_pe",
                        "encrypted_word_document",
                        "olecf_file",
                        "ooxml_file",
                        "encrypted_zip",
                        "mhtml_file",
                        "rar_file",
                        "tar_file",
                        "xar_file",
                        "bzip2_file",
                        "gzip_file",
                        "lzma_file",
                        "xz_file",
                        "zlib_file",
                        "elf_file",
                        "batch_file",
                        "hta_file"
                      )
                  )
          )
        )
)

Author

ajpc500

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

References

Raw Content
name: "Attachment: PDF file with embedded content"
description: |
  Threat actors may embed files within PDF documents, including macro-enabled documents, in an attempt to bypass security controls and social engineer a recipient into running malicious code.
references:
  - "https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/"
  - "https://blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/"
  - "https://delivr.to/payloads?id=6cc3a70e-f832-425e-ae45-5f735d3f1efe"
  - "https://delivr.to/payloads?id=d4dab160-0437-4f84-9294-db0348364b31"
type: "rule"
authors:
  - twitter: "ajpc500"
severity: "high"
source: |
  type.inbound
  and (
    (
      sender.email.domain.root_domain in $free_email_providers
      and sender.email.email not in $recipient_emails
    )
    or (
      sender.email.domain.root_domain not in $free_email_providers
      and sender.email.domain.domain not in $recipient_domains
    )
  )
  and any(attachments,
          (
            .file_extension == "pdf"
            and any(file.explode(.),
                    any(.flavors.yara,
                        . in (
                          "iso_file",
                          "vb_file",
                          "base64_pe",
                          "encrypted_word_document",
                          "olecf_file",
                          "ooxml_file",
                          "encrypted_zip",
                          "mhtml_file",
                          "rar_file",
                          "tar_file",
                          "xar_file",
                          "bzip2_file",
                          "gzip_file",
                          "lzma_file",
                          "xz_file",
                          "zlib_file",
                          "elf_file",
                          "batch_file",
                          "hta_file"
                        )
                    )
            )
          )
  )
attack_types:
  - "Malware/Ransomware"
tactics_and_techniques:
  - "PDF"
detection_methods:
  - "File analysis"
  - "Sender analysis"
  - "YARA"
id: "c2e04516-2e6c-5079-8b67-327578e98315"