From 9b0e32e956e57eb68b2a079b09199398aeb3d16f Mon Sep 17 00:00:00 2001 From: keaton-sublime Date: Wed, 15 Apr 2026 16:30:40 -0400 Subject: [PATCH 1/2] Create attachment_pdf_base64_javascript_eval.yml --- .../attachment_pdf_base64_javascript_eval.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 detection-rules/attachment_pdf_base64_javascript_eval.yml diff --git a/detection-rules/attachment_pdf_base64_javascript_eval.yml b/detection-rules/attachment_pdf_base64_javascript_eval.yml new file mode 100644 index 00000000000..6f8a15568a0 --- /dev/null +++ b/detection-rules/attachment_pdf_base64_javascript_eval.yml @@ -0,0 +1,27 @@ +name: "Attachment: PDF with base64 JavaScript and eval functions" +description: "PDF attachment contains base64-encoded JavaScript variables with eval functions, indicating potential code obfuscation and execution techniques commonly used in malicious documents." +type: "rule" +severity: "medium" +source: | + type.inbound + and any(filter(attachments, .file_type == "pdf"), + any(file.explode(.), + .depth == 0 + and any(.scan.yara.matches, + .name in ( + "pdf_b64_js_var_eval", + "pdf_acro_js_functions", + ) + ) + ) + ) + +attack_types: + - "Malware/Ransomware" +tactics_and_techniques: + - "Evasion" + - "PDF" +detection_methods: + - "File analysis" + - "Javascript analysis" + - "YARA" From ddd53df04a890b7d32f95b1cfaecb514fcfcee8f Mon Sep 17 00:00:00 2001 From: CI Bot Date: Wed, 15 Apr 2026 20:32:02 +0000 Subject: [PATCH 2/2] Auto-format MQL and add rule IDs --- detection-rules/attachment_pdf_base64_javascript_eval.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/detection-rules/attachment_pdf_base64_javascript_eval.yml b/detection-rules/attachment_pdf_base64_javascript_eval.yml index 6f8a15568a0..56b8927169d 100644 --- a/detection-rules/attachment_pdf_base64_javascript_eval.yml +++ b/detection-rules/attachment_pdf_base64_javascript_eval.yml @@ -8,14 +8,10 @@ source: | any(file.explode(.), .depth == 0 and any(.scan.yara.matches, - .name in ( - "pdf_b64_js_var_eval", - "pdf_acro_js_functions", - ) + .name in ("pdf_b64_js_var_eval", "pdf_acro_js_functions", ) ) ) ) - attack_types: - "Malware/Ransomware" tactics_and_techniques: @@ -25,3 +21,4 @@ detection_methods: - "File analysis" - "Javascript analysis" - "YARA" +id: "1b1b9c12-5473-546e-ae4e-038e372a02a8"