This detection rule identifies PDF attachments generated with the wkhtmltopdf tool, which is frequently exploited by attackers to craft realistic PDF documents for social engineering attacks, such as phishing and business email compromise (BEC). The rule uses specific criteria to ensure that only maliciously crafted documents are flagged. It inspects inbound attachments looking for PDFs that contain metadata indicating they were produced using the Qt framework, along with an EXIF metadata field indicating the creator as wkhtmltopdf. Additionally, it checks if the title of the document is set to 'Document', a common default value when this tool is used. Given that these PDFs can be leveraged in various attack vectors, including credential phishing and malware distribution, identifying them helps prevent potential security breaches.