EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: Unsolicited malformed PDF

This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.

MITRE ATT&CK

T1566T1036T1027
defense-evasion

Detection Query

type.inbound
// body text is very short
and length(body.current_thread.text) < 50

// one attachment
and length(attachments) == 1

// attachment is named a pdf, but mime type doesn't match with high entropy
and any(attachments,
        .file_type == "unknown"
        and strings.ends_with(.file_name, "pdf")
        and any(file.explode(.),
                .flavors.mime in (
                  "application/octet-stream",
                  "application/marc"
                )
                and .scan.entropy.entropy >= 6
        )
)
// a free email address was hyperlinked 
and any(body.links,
        .display_text is null and .href_url.url in $free_email_providers
)

// multiple freemail senders found in recipients.to
and length(filter(recipients.to,
                  .email.domain.root_domain in $free_email_providers
           )
) >= 3

// unsolicited and no false positives or previously flagged
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Spam: Unsolicited malformed PDF"
description: "This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection."
type: "rule"
severity: "low"
source: |
  type.inbound
  // body text is very short
  and length(body.current_thread.text) < 50
  
  // one attachment
  and length(attachments) == 1
  
  // attachment is named a pdf, but mime type doesn't match with high entropy
  and any(attachments,
          .file_type == "unknown"
          and strings.ends_with(.file_name, "pdf")
          and any(file.explode(.),
                  .flavors.mime in (
                    "application/octet-stream",
                    "application/marc"
                  )
                  and .scan.entropy.entropy >= 6
          )
  )
  // a free email address was hyperlinked 
  and any(body.links,
          .display_text is null and .href_url.url in $free_email_providers
  )
  
  // multiple freemail senders found in recipients.to
  and length(filter(recipients.to,
                    .email.domain.root_domain in $free_email_providers
             )
  ) >= 3
  
  // unsolicited and no false positives or previously flagged
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not profile.by_sender().any_messages_benign
  

attack_types:
  - "Spam"
tactics_and_techniques:
  - "Evasion"
  - "Free email provider"
  - "PDF"
detection_methods:
  - "Content analysis"
  - "File analysis"
  - "Sender analysis"
id: "f0c50031-8782-5f0a-aee0-68284651df63"