MatrixPDF Converts PDF Files into Phishing Lures

A new phishing toolkit called MatrixPDF has been uncovered, allowing attackers to transform ordinary PDF files into interactive lures that bypass email security and redirect victims to credential theft pages or malware downloads.

Researchers from Varonis, who identified the tool, note that MatrixPDF is marketed as a phishing simulator and a resource for red and black team specialists. However, its first appearance was traced to underground hacker forums.

“MatrixPDF: Document Builder — Advanced PDF Phishing with JavaScript Actions. This is a high-end tool for creating realistic phishing PDFs intended for black teams and cybersecurity training,” reads the advertisement. “Thanks to drag-and-drop PDF importing, real-time preview, and customizable overlays, MatrixPDF allows for the creation of professional-grade phishing scenarios. Built-in protection features such as content blurring, a safe redirect mechanism, metadata encryption, and Gmail bypass guarantee reliability and delivery in test environments.”

The toolkit is offered under several pricing plans, ranging from $400 per month to $1,500 per year.

How MatrixPDF Works

According to researchers, MatrixPDF allows attackers to upload a legitimate PDF file and layer malicious functions on top. These include:

• Content blurring that hides the document behind a fake “Secure Document” prompt.
• Clickable overlays that redirect users to an external site hosting malware or credential-harvesting pages.
• JavaScript Actions, which execute when a file is opened or a button is clicked, initiating attempts to connect to attacker-controlled websites.

One of the key features is the “blurred content” lure: users see what looks like a protected PDF and are prompted to click an “Open Protected Document” button. That action redirects them to a malicious website.

Bypassing Gmail Filters

In tests conducted by Varonis, malicious PDFs built with MatrixPDF were successfully delivered to Gmail inboxes, bypassing phishing filters. The reason: the files contained no malware binaries, only external links.

“The PDF viewer in Gmail does not execute JavaScript within PDFs, but it does allow following links and annotations,” the researchers explained. “This means the malicious PDF is crafted so that clicking a button simply opens an external website in the user’s browser. This clever trick bypasses Gmail’s protection: scanning the PDF itself reveals nothing, since the payload is only fetched after the user clicks—a request Gmail treats as user-initiated.”

In another test, simply opening the malicious file triggered a connection attempt to an external site. However, most modern PDF readers now display a warning before allowing such actions, making this vector less reliable.

Persistent Threat of PDF Phishing

Varonis researchers emphasized that PDF files remain a favored tool for phishing attacks due to their ubiquity and the fact that most email platforms render them without suspicion. The convenience of PDFs continues to make them a powerful vector for attackers—and a recurring challenge for defenders.