XObject's require v1.4+ | SOC Hunt Feed

Hunt Hypothesis

The detection identifies potential use of outdated or unsupported XObject libraries, which may indicate the presence of legacy or malicious code attempting to exploit known vulnerabilities. SOC teams should proactively hunt for this behavior to identify and mitigate potential attack vectors that could leverage outdated dependencies in their Azure Sentinel environment.

YARA Rule

rule invalid_XObject_js : PDF raw
{
	meta:
		author = "Glenn Edwards (@hiddenillusion)"
		description = "XObject's require v1.4+"
		ref = "https://blogs.adobe.com/ReferenceXObjects/"
		version = "0.1"
		weight = 2
		
	strings:
		$magic = { 25 50 44 46 }
		$ver = /%PDF-1\.[4-9]/
		
		$attrib0 = /\/XObject/
		$attrib1 = /\/JavaScript/
		
	condition:
		$magic in (0..1024) and not $ver and all of ($attrib*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

Microsoft Defender for Endpoint — Custom indicators / advanced hunting
Email Gateway — Attachment scanning
File Share Monitoring — Periodic scanning of shared drives
YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

Source Rule

False Positive Guidance

Scenario: A system update or patching tool (e.g., Microsoft Update, Windows Server Update Services) installs a package that includes an XObject requiring v1.4+.
Filter/Exclusion: Check for known update tools or system update processes using process name or parent process context.
Scenario: A scheduled job (e.g., PowerShell script, Task Scheduler task) runs to generate or process PDFs using a tool like Ghostscript or Adobe Acrobat, which may include XObject v1.4+ usage.
Filter/Exclusion: Exclude tasks associated with known scheduled jobs or scripts using the task name or command line arguments.
Scenario: An administrator uses a tool like pdftk or Ghostscript to manipulate PDFs, which may trigger XObject v1.4+ usage during conversion or merging.
Filter/Exclusion: Exclude processes related to PDF manipulation tools using the process name or command line.
Scenario: A log management tool (e.g., Splunk, ELK Stack) processes logs and generates PDF reports, which may include XObject v1.4+ content.
Filter/Exclusion: Exclude processes related to log management or reporting tools using the process name or parent process.
Scenario: A backup or archive tool (e.g., Veeam, Acronis) generates or processes PDF documentation during backup operations, which may include XObject v1.4+ usage.
Filter/Exclusion: Exclude processes associated with backup or archive tools using the process name or command line.