This analytic rule detects suspicious activities involving PDF viewer processes creating child processes of browser applications, suggesting potential PDF-based phishing attempts. It primarily utilizes data from Endpoint Detection and Response (EDR) systems, focusing specifically on the names of processes and their parent processes. The detection looks for instances where processes like "AcroRd32.exe" or "FoxitPDFReader.exe" spawn browser executables such as "firefox.exe", "chrome.exe", or "iexplore.exe". Such behavior may indicate that a malicious URL within a PDF file has been executed, which can lead to the downloading of harmful payloads, code execution, privilege escalation, or other persistent threats through the compromised user’s web browser. Correct identification of these patterns is crucial for timely intervention against potential attacks.