Update attachment_encrypted_pdf_cred_theft.yml

Open zoomequipd opened this issue 3 weeks ago • 1 comments

Description

Reduce FPs on messages where the attached PDF is not actually encrypted.

When a PDF is actually encrypted, stelka is unable to process any "child" nodes for the PDF. In testing, I found that it does produce a 0 byte "text" object, likely the result of the "extract_text" option not accounting for encrypted PDFs.

All "child" nodes, as determined by a depth > 0, of the root PDF object should have 0 bytes. If any do not have 0 bytes, the PDF is not encrypted.

using all allows for matching when there are no "child" nodes

and all(filter(file.explode(.), .depth > 0), .size == 0)

Associated samples

Sample 1 - we detected as encrypted but it is readable
Sample 2 - is actually encrypted and we continue to match

Associated hunts

Samples that will no longer match

Nov 06 '25 14:11 zoomequipd

/mql-mimic-exempt: 816293, 816519

both examples are benign and attached PDFs are not encrypted.

Nov 06 '25 15:11 zoomequipd

sublime-rules sublime-rules copied to clipboard

Update attachment_encrypted_pdf_cred_theft.yml

Description

Associated samples

Associated hunts

sublime-rules
sublime-rules copied to clipboard