EXPLORE

EXPLORE DETECTIONS

🔍
1,155 detections found

Attachment: PDF with CVE-2026-34621 lures

Detects PDF attachments containing YARA signatures associated with CVE-2026-34621's observed lures.

T1566.001T1204.002T1486
Sublimehigh

Attachment: PDF with eCheckRun lures

Detects PDF attachments matching yara rules looking for attachments containing artifacts from related to fake financial/invoice themes, including eCheckRun lures. These are commonly used to trick users into believe they have received legitmate electronic payment messages.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: PDF with embedded Javascript

PDF contains embedded Javascript.

T1566.001T1204.002T1486T1036T1027+1
Sublimemedium

Attachment: PDF with fake invoice using suspicious font sizing

PDF attachment contains a fake invoice with suspicious font size patterns and unique image sizes, typically used in fraudulent billing schemes.

T1566.002T1534T1656T1566.003T1598+1
Sublimemedium

Attachment: PDF with JSFck obfuscation

PDF attachment contains JavaScript obfuscated using JSFck encoding techniques. JSFck is a method of writing JavaScript code using only six characters: []()!+ which is often used to evade detection by security tools.

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: PDF with link to DMG file download

This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.

T1566.001T1204.002T1486T1036T1027
Sublimemedium

Attachment: PDF with link to zip containing a wsf file

Detects a PDF attachment with a link to a ZIP file that contains a WSF file

T1566.001T1204.002T1486T1036T1027
Sublimehigh

Attachment: PDF with localhost IP in EXIF title metadata

Detects inbound PDF attachments where the EXIF title metadata starts with '127.0.0.1', sent either to a self-addressed recipient or an invalid recipient domain. This technique may indicate automated or malicious document generation tools embedding localhost references in file metadata.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: PDF with Microsoft Purview message impersonation

Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services.

T1566T1566.001T1566.002T1598T1598.003
Sublimemedium

Attachment: PDF with multistage landing - ClickUp abuse

Detects PDF attachments containing ClickUp document links that either redirect to unavailable pages or contain embedded links leading to newly registered domains, free file hosts, URL shorteners, or verified credential theft pages.

T1566T1566.001T1566.002T1598T1036+1
Sublimehigh

Attachment: PDF with password in filename matching body text

Detects messages containing a single PDF attachment where the filename includes a numeric password that is explicitly referenced in the message body text.

T1566.001T1204.002T1486T1566T1566.002+4
Sublimemedium

Attachment: PDF with personal Microsoft OneNote URL

Detects PDF attachments containing a sharepoint URL referencing the senders personal OneNote.

T1566T1566.001T1566.002T1598
Sublimemedium

Attachment: PDF with QR code containing recipient-specific credential theft content

Detects PDF attachments containing QR codes that include the recipient's email address (either plaintext or base64 encoded) combined with credential theft language detected through natural language processing. This technique personalizes the attack by incorporating the target's email into the QR code URL while using PDF content to establish credibility.

T1566T1566.001T1566.002T1598
Sublimehigh

Attachment: PDF with quote lure

Detects PDF attachments containing quote-themed lure content.

T1566T1566.001T1566.002T1598T1204.002+1
Sublimemedium

Attachment: PDF with recipient email in link

Detects PDF attachments that contain the recipient's domain in the filename and include a link personalized with the recipient's email address, either in the URL directly, encoded in base64, or within a QR code.

T1566T1566.001T1566.002T1598T1027+1
Sublimehigh

Attachment: PDF with ReportLab library and default metadata

Detects PDF attachments generated using the ReportLab PDF Library with default anonymous metadata values, including untitled document, anonymous creator/author, and unspecified subject. This combination of characteristics is commonly associated with automated PDF generation tools used in malicious activities.

T1566T1566.001T1566.002T1598T1036+1
Sublimelow

Attachment: PDF With SAI Global ISO9001 Logo

Detects PDF attachments containing embedded SAI Global ISO9001 logos, which may indicate brand impersonation or fraudulent certification claims.

T1566T1566.001T1566.002T1598T1598.003
Sublimehigh

Attachment: PDF with self-service platform links with self sender or blank recipients

Detects single-page PDF attachments containing links to self-service content creation platforms, sent to either the sender's own email address or an invalid email domain. This pattern may indicate testing of malicious content or preparation for distribution.

T1566.002T1534T1656T1566T1566.001+3
Sublimemedium

Attachment: PDF with specific author metadata

Detects inbound messages containing PDF attachments where the EXIF metadata indicates the author or creator is 'Shelby Porter'.

T1566T1566.001T1566.002T1598
Sublimehigh

Attachment: PDF with specific W-9 lure

Detects PDF attachments containing W-9 related lures. This one is looking for signatures that have been observed across multiple samples.

T1566.002T1534T1656T1566T1598
Sublimemedium

Attachment: PDF with split QR code

Detects PDF attachments containing split QR codes positioned close together, a technique used to evade detection while maintaining QR code functionality for credential theft.

T1566T1566.001T1566.002T1598T1036+1
Sublimemedium

Attachment: PDF with suspicious document view lure

Detects PDF attachments containing a title box designed to lure recipients into viewing a document, a common social engineering technique used to direct users to malicious content.

T1566.001T1204.002T1486T1566T1598
Sublimemedium

Attachment: PDF with suspicious HeadlessChrome metadata

Detects PDF attachments created by HeadlessChrome with suspicious characteristics, including MD5-formatted HTML filenames or blank titles with Windows Skia/PDF producer, excluding legitimate Google Docs files.

T1566T1566.001T1566.002T1598T1204.002+3
Sublimemedium

Attachment: PDF with suspicious internal object reference identifier

Detects inbound messages containing PDF attachments with a specific internal object reference identifier pattern, which may indicate a crafted or malicious PDF file.

T1566.002T1534T1656
Sublimemedium
PreviousPage 9 of 49Next