[Test Rules] [PR #4355] added rule: Attachment: PDF with base64 JavaScript and eval functions

github-actions[bot] · github-actions[bot] · commit 44619ce19ac1 · 2026-04-23T21:26:22.000Z
diff --git a/detection-rules/4355_attachment_pdf_base64_javascript_eval.yml b/detection-rules/4355_attachment_pdf_base64_javascript_eval.yml
@@ -0,0 +1,27 @@
+name: "Attachment: PDF with base64 JavaScript and eval functions"
+description: "PDF attachment contains base64-encoded JavaScript variables with eval functions, indicating potential code obfuscation and execution techniques commonly used in malicious documents."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              .depth == 0
+              and any(.scan.yara.matches,
+                      .name in ("pdf_b64_js_var_eval", "pdf_acro_js_functions", )
+              )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "File analysis"
+  - "Javascript analysis"
+  - "YARA"
+id: "9919f39e-6e3f-5508-b383-a787214953e6"
+og_id: "1b1b9c12-5473-546e-ae4e-038e372a02a8"
+testing_pr: 4355
+testing_sha: ddd53df04a890b7d32f95b1cfaecb514fcfcee8f
