This detection rule aims to identify suspicious PDF documents that exhibit characteristics typically associated with automated generation using headless web browsers like HeadlessChrome or Chromium with Skia/PDF. The rule specifically looks for PDF files that contain a table of contents, an indicator that automated tools were potentially used to create the document. It also checks for the presence of empty metadata fields, which are often present in files generated by automation tools and scripts. The logic sequentially checks if the attachments are PDFs, if they include a table of contents, and if the document creator or producer fields indicate the use of specific browsers or renderer tools. Additionally, it recognizes PDFs that lack necessary metadata like title and creator, which may suggest intentional obfuscation usually linked with phishing attempts. This rule falls under the context of credential phishing, employing various detection methods including content analysis and optical character recognition (OCR) to ensure comprehensive scrutiny of the files in question.