PDFs are not always what they seem. They are good vectors to launch attacks, because PDFs are usually important, meaning end-users are likely to click. One estimate found that PDF-based attacks increased by over 1,000% in the last year.
This is another PDF-based attack. The attachment goes to a landing page that asks for credentials. This attack bypassed Mimecast, but was stopped by Avanan.
Here's what the attack looks like:
If you were to click on the attachment, here's the link you get:
As seen in our analysis of the email, there's a number of red flags that caused Avanan to block it: