Medium Severity
Attachment: PDF with link to DMG file download
Description
This rule identifies PDF attachments that either link directly to a DMG file, link to a ZIP archive containing a DMG file, or link to an encrypted ZIP containing a DMG file. This technique has been observed delivering MetaStealer Malware.
References
Sublime Security
Created Sep 13th, 2023 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and any(attachments,
.file_type == "pdf"
and any(file.explode(.),
any(.scan.url.urls,
// url links to dmg or zip
(
strings.iends_with(.url, ".dmg") or strings.iends_with(.url, "zip")
)
// and downloads a dmg or a zip
and any(ml.link_analysis(.).files_downloaded,
(
.file_extension == "dmg"
or (
.file_extension in~ $file_extensions_common_archives
// and the zip contains a dmg file
and any(file.explode(.),
(.file_extension =~ "dmg")
// exif inspection if encrypted
or strings.ends_with(.scan.exiftool.zip_file_name, ".dmg")
)
)
)
)
)
)
)
and (
profile.by_sender().prevalence in ("new", "outlier")
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Playground
Test against your own EMLs or sample data.