Tactic or Technique: PDF

Attackers use PDF files to deliver malicious content in a format that most people see as safe. These files often appear to be invoices, contracts, or notifications and can include embedded JavaScript, links, or QR codes that lead to phishing sites or malware downloads.
One common example is a fake DocuSign PDF that asks you to scan a QR code or click a link to view a document. The moment you interact, you're taken to a phishing site designed to steal your credentials or deliver malware.
Because PDFs are trusted and can difficult to inspect, they give attackers a way to hide dangerous content behind a familiar format. That trust, combined with limited scanning by some security tools, gives malicious PDFs a clear path into inboxes and environments.
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Stripe invoice abuse
2d ago
Jul 14th, 2026
Sublime Security
Attachment: PDF with suspicious document view lure
2d ago
Jul 14th, 2026
Sublime Security
Attachment: Encrypted PDF with credential theft language in EML
3d ago
Jul 13th, 2026
Sublime Security
Attachment: PDF Object Hash associated with a fake invoice and a W-9
14d ago
Jul 2nd, 2026
Sublime Security
Attachment: PDF with quote lure
15d ago
Jul 1st, 2026
Sublime Security
Attachment: Suspicious PDF created with headless browser
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with specific W-9 lure
15d ago
Jul 1st, 2026
Sublime Security
Attachment: PDF with localhost IP in EXIF title metadata
17d ago
Jun 29th, 2026
Sublime Security
Attachment: PDF with suspicious internal object reference identifier
17d ago
Jun 29th, 2026
Sublime Security
Attachment: Invoice and W-9 PDFs with suspicious creators
20d ago
Jun 26th, 2026
Sublime Security
Attachment: PDF with W-9 form indicators
20d ago
Jun 26th, 2026
Sublime Security
Attachment: Duplicated header pages in fraudulent multi-page PDF Request for Quotation
21d ago
Jun 25th, 2026
Sublime Security
Brand impersonation: Fake procurement/RFQ PDF from energy and industrial companies
21d ago
Jun 25th, 2026
Sublime Security
Attachment: PDF with a suspicious string and single URL
29d ago
Jun 17th, 2026
Sublime Security
Attachment: PDF Object Hash associated with fake Canada Revenue Agency documents
29d ago
Jun 17th, 2026
Sublime Security
Attachment: Encrypted PDF with credential theft body
29d ago
Jun 17th, 2026
Sublime Security
Attachment: PDF file with recipient domain and ATT eCheckRun pattern
30d ago
Jun 16th, 2026
Sublime Security
Attachment: Fake PDF Invoices Yara
30d ago
Jun 16th, 2026
Sublime Security
Attachment: PDF with recipient email in link
1mo ago
Jun 10th, 2026
Sublime Security
Attachment: PDF with self-service platform links with self sender or blank recipients
1mo ago
Jun 10th, 2026
Sublime Security