Tactic or Technique: PDF

Attackers use PDF files to deliver malicious content in a format that most people see as safe. These files often appear to be invoices, contracts, or notifications and can include embedded JavaScript, links, or QR codes that lead to phishing sites or malware downloads.

One common example is a fake DocuSign PDF that asks you to scan a QR code or click a link to view a document. The moment you interact, you're taken to a phishing site designed to steal your credentials or deliver malware.

Because PDFs are trusted and can difficult to inspect, they give attackers a way to hide dangerous content behind a familiar format. That trust, combined with limited scanning by some security tools, gives malicious PDFs a clear path into inboxes and environments.

Blog Posts

Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits

Callback phishing via invoice abuse and distribution list relays

Talking phish over turkey

Abusing Discord to deliver Agent Tesla malware

Fake invoice used to conduct $16,800 BEC attempt

Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques

Call Me Maybe? The Rise of Callback Phishing Emails

Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction

Attack Types (4):

Detection Methods (11):

Exif analysis

File analysis

Optical Character Recognition

Sender analysis

Content analysis

Header analysis

Natural Language Understanding

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: Callback Phishing solicitation via pdf file	9h ago Jun 18th, 2025 UTC	Sublime Security	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Attachment: Suspicious PDF Created With Headless Browser	9d ago Jun 9th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Content analysis Exif analysis File analysis Optical Character Recognition	/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: Legal Themed Message with PDF Containing Suspicious Link	12d ago Jun 6th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Content analysis File analysis Header analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/attachment-legal-themed-message-with-pdf-containing-suspicious-link-19133301
Brand impersonation: Microsoft (QR code)	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Social engineering Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-microsoft-qr-code-ed0f772a
Suspicious attachment with unscannable Cloudflare link	16d ago Jun 2nd, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF Social engineering Impersonation: Employee Impersonation: VIP File analysis URL analysis Sender analysis Content analysis Header analysis Natural Language Understanding	/feeds/core/detection-rules/suspicious-attachment-with-unscannable-cloudflare-link-00f92b6f
Attachment: USDA Bid Invitation Impersonation	26d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
Attachment: Fake Voicemail via PDF	1mo ago Apr 30th, 2025 UTC	Sublime Security	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis	/feeds/core/detection-rules/attachment-fake-voicemail-via-pdf-d3587209
Suspicious SharePoint File Sharing	2mo ago Apr 11th, 2025 UTC	Sublime Security	Credential Phishing Free email provider Free file host OneNote PDF Content analysis Header analysis Sender analysis URL analysis	/feeds/core/detection-rules/suspicious-sharepoint-file-sharing-971c3d9c
Attachment: Suspicious Employee Policy Update Document Lure	2mo ago Mar 31st, 2025 UTC	Sublime Security	Credential Phishing PDF Social engineering Evasion Content analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-suspicious-employee-policy-update-document-lure-a8bf1fd1
Brand impersonation: Adobe (QR code)	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF QR code Computer Vision Header analysis QR code analysis Sender analysis	/feeds/core/detection-rules/brand-impersonation-adobe-qr-code-2fc36c6d
Attachment: QR Code Link With Base64-Encoded Recipient Address	2mo ago Mar 27th, 2025 UTC	Sublime Security	Credential Phishing QR code Image as content Social engineering Evasion PDF Macros Computer Vision File analysis Natural Language Understanding QR code analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-link-with-base64-encoded-recipient-address-927a0c1a
Suspicious Attachment: Duplicate decoy PDF files	3mo ago Mar 18th, 2025 UTC	Sublime Security	Credential Phishing Evasion PDF File analysis Optical Character Recognition	/feeds/core/detection-rules/suspicious-attachment-duplicate-decoy-pdf-files-79b9b2e7
Sharepoint Link Likely Unrelated to Sender	3mo ago Mar 12th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Impersonation: Employee Lookalike domain OneNote PDF Social engineering URL analysis Sender analysis Header analysis HTML analysis	/feeds/core/detection-rules/sharepoint-link-likely-unrelated-to-sender-6870f489
Callback Phishing: Social Security Administration Fraud	3mo ago Feb 24th, 2025 UTC	Sublime Security	Callback Phishing Evasion Free email provider Out of band pivot PDF Social engineering Exif analysis File analysis Optical Character Recognition Sender analysis	/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Attachment: QR Code With Userinfo Portion	3mo ago Feb 21st, 2025 UTC	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content PDF QR code QR code analysis File analysis Sender analysis	/feeds/core/detection-rules/attachment-qr-code-with-userinfo-portion-9d62cc5c
Brand Impersonation: DocuSign pdf attachment with suspicious link	4mo ago Feb 3rd, 2025 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF Social engineering File analysis Natural Language Understanding Optical Character Recognition URL analysis	/feeds/core/detection-rules/brand-impersonation-docusign-pdf-attachment-with-suspicious-link-2601cbb7
Extortion / Sextortion - PDF attachment leveraging breach data from freemail sender	4mo ago Feb 3rd, 2025 UTC	Sublime Security	BEC/Fraud Free email provider PDF Social engineering QR code Content analysis File analysis QR code analysis	/feeds/core/detection-rules/extortion-sextortion-pdf-attachment-leveraging-breach-data-from-freemail-sender-efb5a213
Attachment: Fake scan-to-email	7mo ago Oct 28th, 2024 UTC	Sublime Security	Credential Phishing Free file host Image as content PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-fake-scan-to-email-ea850cc1
Attachment: Encrypted PDF With Credential Theft Body	8mo ago Oct 10th, 2024 UTC	Sublime Security	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Decoy PDF Author (Julie P.)	8mo ago Oct 2nd, 2024 UTC	Sublime Security	Credential Phishing Impersonation: Brand PDF File analysis Content analysis Sender analysis	/feeds/core/detection-rules/attachment-decoy-pdf-author-julie-p-4324213a