This detection rule identifies potentially fraudulent PDF attachments that are pretending to be invoices while using the headquarters address of LinkedIn (1000 W Maude Ave). The rule specifically looks for PDFs that were generated using either 'wkhtmltopdf' or 'Qt' software, which are commonly used for converting HTML documents into PDF format. If the PDF contains the LinkedIn address but does not include direct references to LinkedIn, it raises a flag as potentially suspicious. This rule is particularly relevant in the context of Business Email Compromise (BEC) and fraud, where attackers may use such tactics to deceive recipients into processing fake invoices. It employs various detection techniques including file analysis, content analysis via Optical Character Recognition (OCR), and Exif data analysis to ensure that any suspicious documents are caught and reviewed accordingly.