[PR #4001] added rule: Attachment: PDF object hash - payment receipt theme

Author: github-actions[bot]

detection-rules/4001_attachment_pdf_obj_hash_payment_receipt.yml

@@ -0,0 +1,29 @@
+name: "Attachment: PDF object hash - payment receipt theme"
+description: "Detects PDF attachments containing objects with specific hash values known for fake payment receipts and invoice confirmations. The rule identifies PDF files by analyzing their internal object structures and matching against known, harmful object hashes."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              .scan.pdf_obj_hash.object_hash in (
+                "9c6b9dcddee56a38f1be7badaef017a2",
+                "a6c857527026a1d5fe5d8fea6270ad29",
+                "de75b9278fcc2b2d6fdc5f217ea4face",
+                "df866e643dd6c0179bf74df874cf001d"
+              )
+          )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "PDF"
+  - "Evasion"
+detection_methods:
+  - "File analysis"
+  - "Threat intelligence"
+id: "40b4bba1-5699-56d2-8e4b-2fd48efcd8f9"
+og_id: "e9d5be49-d7f0-5ef4-a931-9d3122aa9322"
+testing_pr: 4001
+testing_sha: 9c3f5db4eba10b5b3afe74887f7d81c609de5021