EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Attachment: PDF with suspicious HeadlessChrome metadata

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1204.002T1486T1036T1027
defense-evasion

Detection Query

type.inbound
and any(filter(attachments, .file_extension == "pdf"),
        strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
        and beta.parse_exif(.).page_count == 1
        and (
          // MD5 filename, 32 hex chars and .html
          regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
          or 
          // about:blank and Windows HeadlessChrome 
          (
            beta.parse_exif(.).title == "about:blank"
            and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
            and strings.icontains(beta.parse_exif(.).creator, "Windows")
          )
        )
        and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
)
and not (
  sender.email.domain.root_domain in (
    "guardtek.net",
    "gominis.com",
    "aglgroup.com",
    "truckerzoom.com"
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Attachment: PDF with suspicious HeadlessChrome metadata"
description: "Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_extension == "pdf"),
          strings.icontains(beta.parse_exif(.).creator, "HeadlessChrome")
          and beta.parse_exif(.).page_count == 1
          and (
            // MD5 filename, 32 hex chars and .html
            regex.imatch(beta.parse_exif(.).title, '^[a-f0-9]{32}\.html$')
            or 
            // about:blank and Windows HeadlessChrome 
            (
              beta.parse_exif(.).title == "about:blank"
              and strings.istarts_with(beta.parse_exif(.).producer, "Skia/PDF")
              and strings.icontains(beta.parse_exif(.).creator, "Windows")
            )
          )
          and not strings.icontains(beta.parse_exif(.).producer, "Google Docs")
  )
  and not (
    sender.email.domain.root_domain in (
      "guardtek.net",
      "gominis.com",
      "aglgroup.com",
      "truckerzoom.com"
    )
    and coalesce(headers.auth_summary.dmarc.pass, false)
  )
tags:
- "Attack surface reduction"
attack_types:
  - "Credential Phishing"
  - "Malware/Ransomware"
tactics_and_techniques:
  - "Evasion"
  - "PDF"
detection_methods:
  - "File analysis"
  - "Exif analysis"
id: "eda99b1d-5639-57a0-860e-2d55b7f3b84f"