Detection rules › Sublime MQL
Spam: Unsolicited malformed PDF
This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Spam |
| Tactics and techniques | Evasion, Free email provider, PDF |
Event coverage
Rule body MQL
type.inbound
// body text is very short
and length(body.current_thread.text) < 50
// one attachment
and length(attachments) == 1
// attachment is named a pdf, but mime type doesn't match with high entropy
and any(attachments,
.file_type == "unknown"
and strings.ends_with(.file_name, "pdf")
and any(file.explode(.),
.flavors.mime in (
"application/octet-stream",
"application/marc"
)
and .scan.entropy.entropy >= 6
)
)
// a free email address was hyperlinked
and any(body.links,
.display_text is null and .href_url.url in $free_email_providers
)
// multiple freemail senders found in recipients.to
and length(filter(recipients.to,
.email.domain.root_domain in $free_email_providers
)
) >= 3
// unsolicited and no false positives or previously flagged
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.
- inbound message
- length(body.current_thread.text) < 50
- length(attachments) is 1
any of
attachmentswhere all hold:- .file_type is 'unknown'
- .file_name ends with 'pdf'
any of
file.explode(.)where all hold:- .flavors.mime in ('application/octet-stream', 'application/marc')
- .scan.entropy.entropy ≥ 6
any of
body.linkswhere all hold:- .display_text is missing
- .href_url.url in $free_email_providers
- length(filter(recipients.to, .email.domain.root_domain in $free_email_providers)) ≥ 3
any of:
- profile.by_sender().prevalence in ('new', 'outlier')
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].file_name, attachments[].file_type, body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.url, recipients.to, recipients.to[].email.domain.root_domain, type.inbound. Sensors: file.explode, profile.by_sender, strings.ends_with. Reference lists: $free_email_providers.
Indicators matched (4)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | unknown |
strings.ends_with | suffix | pdf |
file.explode(attachments[])[].flavors.mime | member | application/octet-stream |
file.explode(attachments[])[].flavors.mime | member | application/marc |