When trying to build Spamassassin rules to detect a new kind of spam, it's always usefull to have several copies of the spam so you can check what parts never changes.
In the case of the pdf/zip/doc/xls/etc. spam, even if the spammer did a lot of work to try to make it indetectable, he forgot something: the boundary line of the content-type header is always built the same way and isn't common at all:

------------ then a random 24 characters alphanumeric string.

I've searched in my INBOX (more than 50 000 messages) and this boundary pattern only matches the spams.

From this, we can build our first SA rule:

full __UN_KNOWN_BOUND /boundary="------------\d{24}"/

Now, it's safer if we make sure it's really a spam by adding some attachment detection:

full __UN_PDF_ATTACH /application\/pdf/i
full __UN_OCTSTREAM_ATTACH /application\/octet-stream/i
full __UN_WORD_ATTACH /application\/vnd.ms-word/i
full __UN_EXCEL_ATTACH /application\/vnd.ms-excel/i


Then you can build a meta rule that will match our spams:

meta UN_ATTACH_SPAM __UN_KNOWN_BOUND && (__UN_PDF_ATTACH || __UN_OCTSTREAM_ATTACH || __UN_WORD_ATTACH || __UN_EXCEL_ATTACH)
score UN_ATTACH_SPAM 10