rule phishing_pdf {

meta:
  author = "James Stanger"
  last_updated = "2017-09-12"
  category = "phishing"
  confidence = "high"
  threat_type = "phishing exploit"
  description = "A pdf file that contains a bad link"

strings:
  $pdf_magic = {68 47 77 22}
  $s_anchor_tag = "<a " ascii"
  $s_uri = /\(http.+\)/ ascii"

condition:
  $pdf_magic at 0 and (#s_anchor_tag == 1 or (#s_uri > 0 and #s_uri < 3))
}