The XDP embedded PDF rule detects adversaries embedding malicious PDF files within XDP documents to evade standard file-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential document-based attacks that leverage embedded payloads for persistence or exfiltration.
YARA Rule
rule XDP_embedded_PDF : PDF raw
{
meta:
author = "Glenn Edwards (@hiddenillusion)"
version = "0.1"
ref = "http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp"
weight = 1
strings:
$s1 = "<pdf xmlns="
$s2 = "<chunk>"
$s3 = "</pdf>"
$header0 = "%PDF"
$header1 = "JVBERi0"
condition:
all of ($s*) and 1 of ($header*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A user is generating a PDF report using Adobe Acrobat Distiller for internal documentation.
Filter/Exclusion: Exclude files created by Adobe Acrobat Distiller using the file.mime_type field with value application/pdf or check the process.name for AcroRd32.exe.
Scenario: A system administrator is using Ghostscript to convert PostScript files to PDF for archival purposes.
Filter/Exclusion: Exclude files generated by Ghostscript using the process.name field with value gswin64.exe or check the file.name for .ps to .pdf conversion patterns.
Scenario: A scheduled job runs to generate PDF exports from a database using a tool like ReportLab or Apache FOP.
Filter/Exclusion: Exclude files generated by scheduled jobs using the process.parent_process.name field with value schtasks.exe or task scheduler and check for known export directories.
Scenario: An IT team is using PDFtk to merge multiple PDFs into a single document for distribution.
Filter/Exclusion: Exclude files created by PDFtk using the process.name field with value pdftk.exe or check the file.name for .pdf files with a merge timestamp.
Scenario: A developer is using a PDF library (e.g., iText or PDFBox) to generate PDFs as part of a CI/CD pipeline.
Filter/Exclusion: Exclude files generated by CI/CD tools using the process.name field with values like java.exe, dotnet.exe, or node.exe, or check the file.path for known build directories.