diff --git a/detection-rules/attachment_pdf_embedded_js.yml b/detection-rules/attachment_pdf_embedded_js.yml
new file mode 100644
index 00000000000..48c3cf91077
--- /dev/null
+++ b/detection-rules/attachment_pdf_embedded_js.yml
@@ -0,0 +1,23 @@
+name: "Attachment: PDF with embedded Javascript"
+description: |
+  PDF contains embedded Javascript.
+references:
+  - "https://delivr.to/payloads?id=f1a0c398-995c-4ea3-9404-0b7b27792e8d"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_extension == "pdf"
+          and any(file.explode(.),
+                  (
+                    (any(.scan.strings.strings, strings.icontains(., '/JavaScript')))
+                    and (any(.scan.strings.strings, strings.icontains(., '/JS (')))
+                  )
+          )
+  )
+tags:
+  - "Suspicious attachment"
+id: "d4cde94f-d9e5-527a-9192-da09f3d21275"
+testing_pr: 646
+testing_sha: 3090dfbedc67289ec5ae72a2e621a727874e8620