diff --git a/detection-rules/attachment_pdf_base64_javascript_eval.yml b/detection-rules/attachment_pdf_base64_javascript_eval.yml
new file mode 100644
index 00000000000..56b8927169d
--- /dev/null
+++ b/detection-rules/attachment_pdf_base64_javascript_eval.yml
@@ -0,0 +1,24 @@
+name: "Attachment: PDF with base64 JavaScript and eval functions"
+description: "PDF attachment contains base64-encoded JavaScript variables with eval functions, indicating potential code obfuscation and execution techniques commonly used in malicious documents."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_type == "pdf"),
+          any(file.explode(.),
+              .depth == 0
+              and any(.scan.yara.matches,
+                      .name in ("pdf_b64_js_var_eval", "pdf_acro_js_functions", )
+              )
+          )
+  )
+attack_types:
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "PDF"
+detection_methods:
+  - "File analysis"
+  - "Javascript analysis"
+  - "YARA"
+id: "1b1b9c12-5473-546e-ae4e-038e372a02a8"