This rule is designed to detect malicious PDF attachments that are generated using Python scripting libraries. Specifically, it targets those PDFs that include hyperlinks potentially leading to harmful destinations. The detection logic involves analyzing inbound email attachments and checking for the prevalence of certain characteristics in the sender’s profile as either 'new' or an 'outlier'. The rule scans for PDF-specific file extensions while also examining the strings contained within the PDF to identify any of several popular Python libraries that are used for PDF creation such as ReportLab, PyPDF, PyPDF2, etc. Additionally, it checks for the presence of links within the document by ensuring that the length of URLs is less than zero, indicating a potential exploit. This approach is notably similar to techniques employed by the PikaBot threat actor, making it a relevant detection for similar tactics.