Sublime Security

Sublime Core Feed
PDF
Learn More
Login to Sublime
Attack Types
BEC/Fraud
Callback Phishing
Credential Phishing
Extortion
Malware/Ransomware
Reconnaissance
Spam
Tactics and Techniques
Encryption
Evasion
Exploit
Free email provider
Free file host
Free subdomain host
HTML smuggling
Image as content
Impersonation: Brand
Impersonation: Employee
Impersonation: VIP
IPFS
ISO
LNK
Lookalike domain
Macros
OneNote
Open redirect
Out of band pivot
PDF
Punycode
QR code
Scripting
Social engineering
Spoofing
Detection Methods
Archive analysis
Content analysis
Computer Vision
Exif analysis
File analysis
Header analysis
HTML analysis
Javascript analysis
Macro analysis
Natural Language Understanding
Optical Character Recognition
OLE analysis
PDF analysis
QR code analysis
Sender analysis
Threat intelligence
URL analysis
URL screenshot
Whois
XML analysis
YARA
Tactic or Technique: PDF
Attackers use PDF files to deliver malicious content in a format that most people see as safe. These files often appear to be invoices, contracts, or notifications and can include embedded JavaScript, links, or QR codes that lead to phishing sites or malware downloads.
One common example is a fake DocuSign PDF that asks you to scan a QR code or click a link to view a document. The moment you interact, you're taken to a phishing site designed to steal your credentials or deliver malware.
Because PDFs are trusted and can difficult to inspect, they give attackers a way to hide dangerous content behind a familiar format. That trust, combined with limited scanning by some security tools, gives malicious PDFs a clear path into inboxes and environments.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (6):
Credential Phishing
Extortion
BEC/Fraud
Malware/Ransomware
Callback Phishing
Spam
Detection Methods (16):
File analysis
YARA
QR code analysis
Computer Vision
Content analysis
Optical Character Recognition
URL analysis
Natural Language Understanding
Sender analysis
Header analysis
Exif analysis
Whois
HTML analysis
URL screenshot
Threat intelligence
Archive analysis
Rule Name & Severity
Last Updated
Types, Tactics & Capabilities
Attachment: PDF With SAI Global ISO9001 Logo
5d ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
File analysis
YARA
Credential Phishing
Impersonation: Brand
PDF
File analysis
YARA
Attachment: PDF with split QR code
5d ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
QR code
File analysis
YARA
QR code analysis
Credential Phishing
Evasion
PDF
QR code
File analysis
YARA
QR code analysis
Attachment: Fake voicemail via PDF
6d ago
Apr 14th, 2026
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
Computer Vision
Content analysis
File analysis
Optical Character Recognition
QR code analysis
URL analysis
Credential Phishing
PDF
QR code
Social engineering
Computer Vision
Content analysis
File analysis
Optical Character Recognition
QR code analysis
URL analysis
Attachment: Compensation review lure with QR code
6d ago
Apr 14th, 2026
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Sender analysis
Header analysis
Credential Phishing
PDF
QR code
Social engineering
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Sender analysis
Header analysis
Attachment: PDF with a suspicious string and single URL
10d ago
Apr 10th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
URL analysis
Exif analysis
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
URL analysis
Exif analysis
Attachment: PDF with credential theft language and invalid reply-to domain
10d ago
Apr 10th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Spoofing
File analysis
Header analysis
Natural Language Understanding
Content analysis
Credential Phishing
PDF
Social engineering
Spoofing
File analysis
Header analysis
Natural Language Understanding
Content analysis
Attachment: Encrypted PDF with credential theft body
11d ago
Apr 9th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
Attachment: Legal themed message or PDF with suspicious indicators
17d ago
Apr 3rd, 2026
Sublime Security
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
Attachment: PDF bid/proposal lure with credential theft indicators
24d ago
Mar 27th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
Attachment: PDF contains W9 or invoice YARA signatures
1mo ago
Mar 18th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
File analysis
YARA
BEC/Fraud
Credential Phishing
PDF
Social engineering
File analysis
YARA
Link: PDF display text with fake copyright claim template
1mo ago
Mar 18th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Image as content
PDF
Content analysis
HTML analysis
Credential Phishing
Malware/Ransomware
Evasion
Image as content
PDF
Content analysis
HTML analysis
Attachment: PDF proposal with credential theft indicators
1mo ago
Mar 17th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Credential Phishing
PDF
Social engineering
Evasion
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Attachment: PDF with suspicious link and action-oriented language
1mo ago
Mar 6th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
File analysis
URL analysis
Content analysis
URL screenshot
Credential Phishing
PDF
Social engineering
Evasion
File analysis
URL analysis
Content analysis
URL screenshot
Attachment: PDF with recipient email in link
1mo ago
Mar 3rd, 2026
Sublime Security
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
Credential Phishing
PDF
QR code
Encryption
Social engineering
File analysis
QR code analysis
URL analysis
Attachment: Finance themed PDF with observed phishing template
1mo ago
Mar 2nd, 2026
Sublime Security
Credential Phishing
PDF
Evasion
File analysis
Content analysis
Credential Phishing
PDF
Evasion
File analysis
Content analysis
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
1mo ago
Mar 2nd, 2026
Sublime Security
Malware/Ransomware
PDF
Evasion
File analysis
Threat intelligence
Malware/Ransomware
PDF
Evasion
File analysis
Threat intelligence
Link: SharePoint OneNote or PDF link with self sender behavior
1mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
Evasion
Free file host
OneNote
PDF
Header analysis
URL analysis
Sender analysis
Credential Phishing
Evasion
Free file host
OneNote
PDF
Header analysis
URL analysis
Sender analysis
Attachment: PDF with multistage landing - ClickUp abuse
1mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
Evasion
Free file host
Free subdomain host
PDF
Social engineering
File analysis
URL analysis
Whois
Credential Phishing
Evasion
Free file host
Free subdomain host
PDF
Social engineering
File analysis
URL analysis
Whois
Attachment: PDF with ReportLab library and default metadata
1mo ago
Feb 27th, 2026
Sublime Security
Credential Phishing
PDF
Evasion
File analysis
Exif analysis
Credential Phishing
PDF
Evasion
File analysis
Exif analysis
Attachment: PDF with password in filename matching body text
1mo ago
Feb 19th, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
Content analysis
File analysis
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
Content analysis
File analysis
Page 1 of 4

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Attachment: PDF With SAI Global ISO9001 Logo	5d ago Apr 15th, 2026	Sublime Security	Credential Phishing Impersonation: Brand PDF File analysis YARA
Attachment: PDF with split QR code	5d ago Apr 15th, 2026	Sublime Security	Credential Phishing Evasion PDF QR code File analysis YARA QR code analysis
Attachment: Fake voicemail via PDF	6d ago Apr 14th, 2026	Sublime Security	Credential Phishing PDF QR code Social engineering Computer Vision Content analysis File analysis Optical Character Recognition QR code analysis URL analysis
Attachment: Compensation review lure with QR code	6d ago Apr 14th, 2026	Sublime Security	Credential Phishing PDF QR code Social engineering File analysis Optical Character Recognition QR code analysis Natural Language Understanding Sender analysis Header analysis
Attachment: PDF with a suspicious string and single URL	10d ago Apr 10th, 2026	Sublime Security	Credential Phishing PDF Social engineering Evasion Content analysis File analysis URL analysis Exif analysis
Attachment: PDF with credential theft language and invalid reply-to domain	10d ago Apr 10th, 2026	Sublime Security	Credential Phishing PDF Social engineering Spoofing File analysis Header analysis Natural Language Understanding Content analysis
Attachment: Encrypted PDF with credential theft body	11d ago Apr 9th, 2026	Sublime Security	Credential Phishing Encryption Evasion PDF Social engineering Content analysis Exif analysis File analysis Natural Language Understanding Sender analysis
Attachment: Legal themed message or PDF with suspicious indicators	17d ago Apr 3rd, 2026	Sublime Security	Credential Phishing Extortion BEC/Fraud Evasion PDF Social engineering Content analysis File analysis Natural Language Understanding Optical Character Recognition URL analysis Whois Header analysis Exif analysis
Attachment: PDF bid/proposal lure with credential theft indicators	24d ago Mar 27th, 2026	Sublime Security	BEC/Fraud Credential Phishing PDF Social engineering Free file host Free subdomain host File analysis Content analysis Optical Character Recognition Natural Language Understanding URL analysis Exif analysis
Attachment: PDF contains W9 or invoice YARA signatures	1mo ago Mar 18th, 2026	Sublime Security	BEC/Fraud Credential Phishing PDF Social engineering File analysis YARA
Link: PDF display text with fake copyright claim template	1mo ago Mar 18th, 2026	Sublime Security	Credential Phishing Malware/Ransomware Evasion Image as content PDF Content analysis HTML analysis
Attachment: PDF proposal with credential theft indicators	1mo ago Mar 17th, 2026	Sublime Security	Credential Phishing PDF Social engineering Evasion File analysis Natural Language Understanding Optical Character Recognition URL analysis
Attachment: PDF with suspicious link and action-oriented language	1mo ago Mar 6th, 2026	Sublime Security	Credential Phishing PDF Social engineering Evasion File analysis URL analysis Content analysis URL screenshot
Attachment: PDF with recipient email in link	1mo ago Mar 3rd, 2026	Sublime Security	Credential Phishing PDF QR code Encryption Social engineering File analysis QR code analysis URL analysis
Attachment: Finance themed PDF with observed phishing template	1mo ago Mar 2nd, 2026	Sublime Security	Credential Phishing PDF Evasion File analysis Content analysis
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification	1mo ago Mar 2nd, 2026	Sublime Security	Malware/Ransomware PDF Evasion File analysis Threat intelligence
Link: SharePoint OneNote or PDF link with self sender behavior	1mo ago Feb 27th, 2026	Sublime Security	Credential Phishing Evasion Free file host OneNote PDF Header analysis URL analysis Sender analysis
Attachment: PDF with multistage landing - ClickUp abuse	1mo ago Feb 27th, 2026	Sublime Security	Credential Phishing Evasion Free file host Free subdomain host PDF Social engineering File analysis URL analysis Whois
Attachment: PDF with ReportLab library and default metadata	1mo ago Feb 27th, 2026	Sublime Security	Credential Phishing PDF Evasion File analysis Exif analysis
Attachment: PDF with password in filename matching body text	1mo ago Feb 19th, 2026	Sublime Security	Malware/Ransomware Credential Phishing Encryption Evasion PDF Content analysis File analysis