heroui logo

Attachment: PDF with suspicious internal object reference identifier

Sublime Rules

View Source
Summary
Detects inbound messages containing PDF attachments with a specific internal object reference identifier embedded in the PDF content. The rule triggers when an inbound message includes an attachment with file_type 'pdf', then expands the PDF structure and scans top-level (depth 0) objects for the string pattern [<C57237C22450666518136DE404118E5E>]. A match suggests a crafted or malicious PDF potentially used in BEC/fraud attempts. The rule relies on content analysis and file analysis rather than metadata to identify embedded identifiers inside the PDF.
Categories
  • Endpoint
Data Sources
  • File
Created: 2026-06-30