heroui logo

Attachment: PDF with specific W-9 lure

Sublime Rules

View Source
Summary
Detects inbound PDF attachments that contain W-9 lure signatures, using a YARA rule match named pdf_w9_signature_c003. The rule filters for inbound events with at least one PDF attachment, then explodes the file and checks for YARA matches with the specified signature name. This targets social-engineering BEC/fraud campaigns that use W-9 tax form lures and similar tricks. Detection relies on file analysis and YARA scanning and is set to medium severity.
Categories
  • Endpoint
Data Sources
  • File
Created: 2026-07-02