Low Severity

Spam: Unsolicited malformed PDF

Labels

Spam

Evasion

Description

This rule is designed to identify spam messages featuring a single malformed PDF attachment often leading to romance scam, pornographic, or dating websites. These emails typically contain short body text and intentionally distorted PDFs to avoid detection.

References

No references.

Sublime Security

Created May 23rd, 2024 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// body text is very short
and length(body.current_thread.text) < 50

// one attachment
and length(attachments) == 1

// attachment is named a pdf, but mime type doesn't match with high entropy
and any(attachments,
        .file_type == "unknown"
        and strings.ends_with(.file_name, "pdf")
        and any(file.explode(.),
                .flavors.mime in (
                  "application/octet-stream",
                  "application/marc"
                )
                and .scan.entropy.entropy >= 6
        )
)
// a free email address was hyperlinked 
and any(body.links,
        .display_text is null and .href_url.url in $free_email_providers
)

// multiple freemail senders found in recipients.to
and length(filter(recipients.to,
                  .email.domain.root_domain in $free_email_providers
           )
) >= 3

// unsolicited and no false positives or previously flagged
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.