This rule monitors inbound email for PDF attachments and uses a YARA pattern named 'view_document_pdf_characteristics' to flag PDFs that resemble document-viewer lure characteristics commonly used in credential phishing or malware delivery. It triggers when an inbound message contains at least one PDF attachment and the file, after content expansion, yields a YARA match with the specified rule name. The detection leverages file analysis and YARA-based pattern matching to identify suspicious PDFs at the gateway or endpoint responsible for mail processing, enabling actions such as quarantine, blocking, or further sandbox analysis before delivery to the user. The approach aligns with social engineering and evasion tactics by signaling potential attempts to entice recipients to view or interact with a malicious document. The rule’s medium severity reflects the risk of credential theft or malware deployment if the attachment is opened. Potential limitations include reliance on the specific YARA rule being present and updated, possible false positives from legitimate PDFs, and evasions through obfuscation or document alterations. Complementary controls such as sandboxing, additional attachment filtering, and user awareness training should be considered to reduce risk and improve detection fidelity.