Create attachment_pdf_object_hash_partial_match.yml

keaton-sublime · web-flow · commit e0eb741300f4 · 2026-02-10T09:55:51.000-05:00
diff --git a/detection-rules/attachment_pdf_object_hash_partial_match.yml b/detection-rules/attachment_pdf_object_hash_partial_match.yml
@@ -0,0 +1,19 @@
+name: "Attachment: PDF with specific object hash pattern"
+description: "Detects PDF attachments containing a specific object hash string pattern. This may indicate similar build characteristics or templated features."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"), 
+      any(file.explode(.),
+          strings.contains(.scan.pdf_obj_hash.hash_string, "Catalog|Pages|Page|Filter|Font/TrueType|FontDescriptor|ExtGState|ExtGState|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|Font/TrueType|FontDescriptor|Subtype|Subtype|Font/Type0|None|Font/CIDFontType2|Ordering|FontDescriptor|")
+      )   
+  )
+
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "File analysis"
