Detects inbound messages where two identical links are displayed as a single concatenated text string, with the second link containing 'PDF' in its display text. This technique hides the true nature of links by making them appear as legitimate document references, enabling credential phishing. The rule triggers when: (1) the inbound message body contains the concatenation of the first and second link display_texts, (2) both links share the same href_url.url, and (3) the second link's display_text contains 'pdf' (case-insensitive). Detection methods include content analysis and URL analysis. This rule targets credential phishing attempts that rely on evasion and social engineering.