Create attachment_pdf_view_doc.yml (#3889)

Co-authored-by: CI Bot <hello@sublimesecurity.com>

Author: keaton-sublime

detection-rules/attachment_pdf_view_doc.yml

@@ -0,0 +1,24 @@
+name: "Attachment: PDF with suspicious view document characteristics"
+description: "PDF attachment contains suspicious characteristics commonly associated with document viewing lures, as detected by YARA pattern matching."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              any(.scan.yara.matches,
+                  .name == "view_document_pdf_characteristics"
+              )
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "PDF"
+  - "Social engineering"
+  - "Evasion"
+detection_methods:
+  - "File analysis"
+  - "YARA"
+id: "8b2ec902-929b-56d2-82ff-869767bb3eff"