This rule detects inbound attachments that are PDFs and contain a specific embedded object hash, indicating a known malicious PDF indicator. It evaluates inbound messages (type.inbound) and filters for PDF attachments, then explodes each file to inspect embedded objects. If the scan results show pdf_obj_hash.object_hash equal to 63bf167b66091a4bc53e8944a76f6b08, the attachment is flagged as suspicious. The rule is aimed at catching encrypted PDFs or PDFs with obfuscated content used to deliver threats, such as those associated with fake payment notifications. It relies on file analysis and threat intelligence to identify the known object hash, and labels the finding as Malware/Ransomware with a PDF/Evasion focus. By targeting a specific object hash associated with a threat, the rule can rapidly alert on high-confidence indicators while minimizing generic file-type noise. Consider cross-referencing with threat intel to confirm current relevance and investigate the attachment for encryption, delivery context (e.g., phishing lure), and follow-on payload behavior.