EXPLORE DETECTIONS
Attachment: PDF with CVE-2026-34621 lures
Detects PDF attachments containing YARA signatures associated with CVE-2026-34621's observed lures.
Attachment: PDF with eCheckRun lures
Detects PDF attachments matching yara rules looking for attachments containing artifacts from related to fake financial/invoice themes, including eCheckRun lures. These are commonly used to trick users into believe they have received legitmate electronic payment messages.
Attachment: PDF with embedded Javascript
PDF contains embedded Javascript.
Attachment: PDF with fake invoice using suspicious font sizing
PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes.
Attachment: PDF with JSFck obfuscation
PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: []()!+ which is often used to evade detection by security tools.
Attachment: PDF with link to DMG file download
This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.
Attachment: PDF with link to zip containing a wsf file
Detects a PDF attachment with a link to a ZIP file that contains a WSF file
Attachment: PDF with localhost IP in EXIF title metadata
Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.
Attachment: PDF with Microsoft Purview message impersonation
Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services.
Attachment: PDF with multistage landing - ClickUp abuse
Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.
Attachment: PDF with password in filename matching body text
Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text.
Attachment: PDF with personal Microsoft OneNote URL
Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote.
Attachment: PDF with QR code containing recipient-specific credential theft content
Detects PDF attachments containing QR codes that include the recipient's email address (either plaintext or base64 encoded) combined with credential theft language detected through natural language processing. This technique personalizes the attack by incorporating the target's email into the QR code URL while using PDF content to establish credibility.
Attachment: PDF with quote lure
Detects PDF attachments containing quote-themed lure content.
Attachment: PDF with recipient email in link
Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.
Attachment: PDF with ReportLab library and default metadata
Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities.
Attachment: PDF With SAI Global ISO9001 Logo
Detects PDF attachments containing embedded SAI Global ISO9001 logos, which may indicate brand impersonation or fraudulent certification claims.
Attachment: PDF with self-service platform links with self sender or blank recipients
Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution.
Attachment: PDF with specific author metadata
Detects inbound messages containing PDF attachments where the EXIF metadata indicates the author or creator is 'Shelby Porter'.
Attachment: PDF with specific W-9 lure
Detects PDF attachments containing W-9 related lures. This one is looking for signatures that have been observed across multiple samples.
Attachment: PDF with split QR code
Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft.
Attachment: PDF with suspicious document view lure
Detects PDF attachments containing a title box designed to lure recipients into viewing a document, a common social engineering technique used to direct users to malicious content.
Attachment: PDF with suspicious HeadlessChrome metadata
Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.
Attachment: PDF with suspicious internal object reference identifier
Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file.