
Summary
This rule detects inbound email events containing PDF attachments that trigger a specific YARA indicator named 'pdf_view_doc_here_title_box'. It operates by enforcing inbound context, filtering attachments for the PDF file_type, expanding each file (file.explode(.)), and evaluating YARA matches for a rule name equal to 'pdf_view_doc_here_title_box'. If such a YARA match is found, the rule fires. The intent is to catch social-engineering lure attempts where a PDF document presents a title box designed to coax the recipient into viewing the document, potentially directing them to malicious content. The rule relies on content and file analysis complemented by YARA-based detection. It is categorized under Malware/Ransomware and is associated with PDF-related social engineering tactics. The detection depends on a pre-existing YARA signature with this exact name being deployed in the scanning environment; it does not assess payload execution or link safety beyond the YARA match. False positives may occur if legitimate PDFs inadvertently trigger the same signature, and detection effectiveness depends on the currency of the YARA rule repository and proper parsing of PDF attachments.
Categories
- Endpoint
Data Sources
- File
Created: 2026-07-15