alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Potential Malicious PDF (EmbeddedFiles) improper case"; flow:from_server,established; content:"|0d 0a 0d 0a|%PDF"; content:"/EmbeddedFiles"; within:128; nocase; content:!"/EmbeddedFiles"; distance:-14; within:14; reference:url,blog.didierstevens.com/2009/07/01/embedding-and-hiding-files-in-pdf-documents/; classtype:misc-activity; sid:2014575; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_16, deployment Perimeter, confidence High, signature_severity Minor, updated_at 2023_04_20;)