alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,web.archive.org/web/20210417150956/http://blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp/; classtype:bad-unknown; sid:2014926; rev:4; metadata:affected_product Adobe_Reader, attack_target Client_Endpoint, created_at 2012_06_20, deployment Perimeter, deprecation_reason Age, confidence Low, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_28;)