[PR #3996] modified rule: Attachment: PDF with specific object hash pattern

github-actions[bot] · github-actions[bot] · commit d4f4e7674716 · 2026-02-10T21:25:59.000Z
diff --git a/detection-rules/3996_attachment_pdf_object_hash_partial_match.yml b/detection-rules/3996_attachment_pdf_object_hash_partial_match.yml
@@ -7,7 +7,7 @@ source: |
   and any(filter(attachments, .file_type == "pdf"),
           any(file.explode(.),
               strings.contains(.scan.pdf_obj_hash.hash_string,
-                               "Catalog|Pages|Page|Filter|Font/TrueType|FontDescriptor|ExtGState|ExtGState|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|Font/TrueType|FontDescriptor|Subtype|Subtype|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|"
+                               "Catalog|Pages|Page|Filter|Font/TrueType|FontDescriptor|ExtGState|ExtGState|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|Font/TrueType|FontDescriptor|Subtype|Subtype|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|Subtype|XObject/Image|Subtype|XObject/Image|"
               )
           )
   )
@@ -21,4 +21,4 @@ detection_methods:
 id: "ea53a4d4-af8b-5a0e-a837-24c4fe3b28d2"
 og_id: "39a99174-f2f3-5106-9e99-0684bc7b738c"
 testing_pr: 3996
-testing_sha: 653f01c807e17c120e10e7098d6c86bef8b7759a
+testing_sha: 0e8c7b9f24c4dbd22e91bebc865c04431ead0ac1

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ source: \|`
`7`	`7`	`and any(filter(attachments, .file_type == "pdf"),`
`8`	`8`	`any(file.explode(.),`
`9`	`9`	`strings.contains(.scan.pdf_obj_hash.hash_string,`
`10`		`- "Catalog\|Pages\|Page\|Filter\|Font/TrueType\|FontDescriptor\|ExtGState\|ExtGState\|Font/Type0\|None\|Font/CIDFontType2\|Ordering\|FontDescriptor\|Font/TrueType\|FontDescriptor\|Subtype\|Subtype\|Font/Type0\|None\|Font/CIDFontType2\|Ordering\|FontDescriptor\|"`
	`10`	`+ "Catalog\|Pages\|Page\|Filter\|Font/TrueType\|FontDescriptor\|ExtGState\|ExtGState\|Font/Type0\|None\|Font/CIDFontType2\|Ordering\|FontDescriptor\|Font/TrueType\|FontDescriptor\|Subtype\|Subtype\|Font/Type0\|None\|Font/CIDFontType2\|Ordering\|FontDescriptor\|Subtype\|XObject/Image\|Subtype\|XObject/Image\|"`
`11`	`11`	`)`
`12`	`12`	`)`
`13`	`13`	`)`
`@@ -21,4 +21,4 @@ detection_methods:`
`21`	`21`	`id: "ea53a4d4-af8b-5a0e-a837-24c4fe3b28d2"`
`22`	`22`	`og_id: "39a99174-f2f3-5106-9e99-0684bc7b738c"`
`23`	`23`	`testing_pr: 3996`
`24`		`-testing_sha: 653f01c807e17c120e10e7098d6c86bef8b7759a`
	`24`	`+testing_sha: 0e8c7b9f24c4dbd22e91bebc865c04431ead0ac1`