The detection rule identifies files that contain the Acrobat viewer header within the first 1024 bytes, which may indicate the presence of malicious or obfuscated PDF-based payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential adversarial use of PDF files for initial access or persistence.
YARA Rule
rule header_evasion : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
description = "3.4.1, 'File Header' of Appendix H states that ' Acrobat viewers require only that the header appear somewhere within the first 1024 bytes of the file.' Therefore, if you see this trigger then any other rule looking to match the magic at 0 won't be applicable"
ref = "http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf"
version = "0.1"
weight = 3
strings:
$magic = { 25 50 44 46 }
condition:
$magic in (5..1024) and #magic == 1
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A legitimate PDF file is being uploaded to a file server by an employee using Adobe Acrobat Reader.
Filter/Exclusion: Exclude files with the .pdf extension or files created by Adobe Acrobat Reader (check for Adobe in the file metadata or process name).
Scenario: A scheduled backup job is running and copying PDF files from a shared folder to a backup drive.
Filter/Exclusion: Exclude files that match the backup job’s source and destination paths, or filter based on the file system event type (e.g., FileCopy).
Scenario: A system update or patching tool (e.g., Microsoft Update, Ansible, or Chef) is transferring PDF documentation as part of the update package.
Filter/Exclusion: Exclude files that are part of known update packages or filter based on the source IP or process name of the update tool.
Scenario: A log file or configuration file with a PDF-like header is being generated by a legitimate application (e.g., Apache PDFBox, Ghostscript, or LibreOffice).
Filter/Exclusion: Exclude files that match known log or config file patterns, or filter based on the application name or process owner.
Scenario: A user is manually printing a document to a PDF printer (e.g., Adobe PDF Printer, Microsoft Print to PDF) to save a report.
Filter/Exclusion: Exclude files created by known PDF printers (check for Adobe PDF Printer or Microsoft Print to PDF in the process name or file metadata).