rule phishing_pdf { meta: author = "James Stanger" last_updated = "2017-09-12" category = "phishing" confidence = "high" threat_type = "phishing exploit" description = "A pdf file that contains a bad link" strings: $pdf_magic = {68 47 77 22} $s_anchor_tag = " 0 and #s_uri < 3)) }