Tactic or Technique: PDF

Attackers use PDF files to deliver malicious content in a format that most people see as safe. These files often appear to be invoices, contracts, or notifications and can include embedded JavaScript, links, or QR codes that lead to phishing sites or malware downloads.
One common example is a fake DocuSign PDF that asks you to scan a QR code or click a link to view a document. The moment you interact, you're taken to a phishing site designed to steal your credentials or deliver malware.
Because PDFs are trusted and can difficult to inspect, they give attackers a way to hide dangerous content behind a familiar format. That trust, combined with limited scanning by some security tools, gives malicious PDFs a clear path into inboxes and environments.
Blog Posts
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Tax season email attacks: AdWind RATs and Tycoon 2FA phishing kits · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Talking phish over turkey · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Abusing Discord to deliver Agent Tesla malware · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Gotta Catch 'Em All: Detecting PikaBot Delivery Techniques · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Call Me Maybe? The Rise of Callback Phishing Emails · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Detecting QakBot: WSF attachments, OneNote files, and generic attack surface reduction · Blog · Sublime Security
Attack Types (6):
Credential Phishing
Malware/Ransomware
Extortion
BEC/Fraud
Callback Phishing
Spam
Detection Methods (16):
Content analysis
Exif analysis
File analysis
Optical Character Recognition
Computer Vision
Natural Language Understanding
Sender analysis
URL analysis
Header analysis
Whois
QR code analysis
Archive analysis
YARA
HTML analysis
URL screenshot
Threat intelligence
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Suspicious PDF created with headless browser
5d ago
May 7th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
Content analysis
Exif analysis
File analysis
Optical Character Recognition
Brand impersonation: SharePoint PDF attachment with credential theft language
8d ago
May 4th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
Social engineering
PDF
Evasion
Computer Vision
File analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
URL analysis
Header analysis
Whois
Attachment: PDF with suspicious HeadlessChrome metadata
11d ago
May 1st, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
PDF
File analysis
Exif analysis
Attachment: Fake voicemail via PDF
12d ago
Apr 30th, 2026
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
Computer Vision
Content analysis
File analysis
Optical Character Recognition
QR code analysis
URL analysis
Attachment: QR code with userinfo portion
12d ago
Apr 30th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
Image as content
PDF
QR code
QR code analysis
File analysis
Sender analysis
Adobe branded PDF file linking to a password-protected file from untrusted sender
13d ago
Apr 29th, 2026
Sublime Security
Malware/Ransomware
Encryption
Evasion
Impersonation: Brand
PDF
Archive analysis
File analysis
Natural Language Understanding
Optical Character Recognition
Attachment: Decoy PDF author (Julie P.)
13d ago
Apr 29th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
File analysis
Content analysis
Attachment: QR code link with base64-encoded recipient address
13d ago
Apr 29th, 2026
Sublime Security
Credential Phishing
QR code
Image as content
Social engineering
Evasion
PDF
Macros
Computer Vision
File analysis
Natural Language Understanding
QR code analysis
Sender analysis
Attachment: PDF with a suspicious string and single URL
15d ago
Apr 27th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Evasion
Content analysis
File analysis
URL analysis
Exif analysis
Attachment: PDF with suspicious view document characteristics
19d ago
Apr 23rd, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
PDF
Social engineering
Evasion
File analysis
YARA
Attachment: PDF with CVE-2026-34621 lures
20d ago
Apr 22nd, 2026
Sublime Security
Malware/Ransomware
PDF
File analysis
YARA
Attachment: PDF with JSFck obfuscation
20d ago
Apr 22nd, 2026
Sublime Security
Malware/Ransomware
Evasion
PDF
File analysis
YARA
Brand impersonation: Adobe (QR code)
22d ago
Apr 20th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
QR code
Computer Vision
Header analysis
QR code analysis
Sender analysis
Attachment: PDF With SAI Global ISO9001 Logo
27d ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Impersonation: Brand
PDF
File analysis
YARA
Attachment: PDF with split QR code
27d ago
Apr 15th, 2026
Sublime Security
Credential Phishing
Evasion
PDF
QR code
File analysis
YARA
QR code analysis
Attachment: Compensation review lure with QR code
28d ago
Apr 14th, 2026
Sublime Security
Credential Phishing
PDF
QR code
Social engineering
File analysis
Optical Character Recognition
QR code analysis
Natural Language Understanding
Sender analysis
Header analysis
Attachment: PDF with credential theft language and invalid reply-to domain
1mo ago
Apr 10th, 2026
Sublime Security
Credential Phishing
PDF
Social engineering
Spoofing
File analysis
Header analysis
Natural Language Understanding
Content analysis
Attachment: Encrypted PDF with credential theft body
1mo ago
Apr 9th, 2026
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
Attachment: Legal themed message or PDF with suspicious indicators
1mo ago
Apr 3rd, 2026
Sublime Security
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
Attachment: PDF bid/proposal lure with credential theft indicators
1mo ago
Mar 27th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
PDF
Social engineering
Free file host
Free subdomain host
File analysis
Content analysis
Optical Character Recognition
Natural Language Understanding
URL analysis
Exif analysis
Page 1 of 4