Create attachment_pdf_obj_hash_payment_receipt.yml

Author: JFarina5

detection-rules/attachment_pdf_obj_hash_payment_receipt.yml

@@ -0,0 +1,25 @@
+name: "Attachment: PDF object hash - payment receipt theme"
+description: "Detects PDF attachments containing objects with specific hash values known for fake payment receipts and invoice confirmations. The rule identifies PDF files by analyzing their internal object structures and matching against known, harmful object hashes."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              .scan.pdf_obj_hash.object_hash in (
+                "9c6b9dcddee56a38f1be7badaef017a2",
+                "a6c857527026a1d5fe5d8fea6270ad29",
+                "de75b9278fcc2b2d6fdc5f217ea4face",
+                "df866e643dd6c0179bf74df874cf001d"
+              )
+          )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "PDF"
+  - "Evasion"
+detection_methods:
+  - "File analysis"
+  - "Threat intelligence"