Description
The PDF attachment was created with a Python-based script. The PDF attachment also contains one or more links. These techniques were used by PikaBot, among others.
References
type.inbound
// and profile.by_sender().prevalence in ("new", "outlier")
and any(attachments,.file_extension == "pdf" and
any(file.explode(.),
any(.scan.strings.strings,
// create the raw PDF from code with this tools
strings.ilike(., "*ReportLab*", "*pypdf*", "*pypdf2", "*pikepdf*", "*PyMuPDF*", "*IronPDF*")
// create an intermediate format and convert it to PDF
or strings.ilike(., "*pdfkit*", "*xhtml2pdf*", "*pdflatex*")
// image to pdf
or strings.ilike(., "*img2pdf*", "*sphinxcontrib-svg2pdfconverter*")
)
) and any(file.explode(.),
length(.scan.url.urls) < 0
)
)
Playground
Test against your own EMLs or sample data.