MatrixPDF Turns Ordinary PDFs into Phishing Weapons

A new phishing and malware distribution toolkit, MatrixPDF, enables attackers to weaponize ordinary PDF files by embedding interactive lures that evade email filters and redirect victims to malicious sites.

Varonis researchers discovered the tool. According to Lawrence Abrams of BleepingComputer, it was first advertised on cybercrime forums and later promoted via Telegram.

Marketed as a “phishing simulation and black teaming tool,” MatrixPDF’s functionality extends far beyond legitimate training use, offering cybercriminals the means to create realistic phishing scenarios that can bypass standard protections.

Varonis’ analysis reveals that MatrixPDF allows users to upload legitimate PDFs and insert deceptive elements, such as blurred content, fake “Secure Document” prompts, and clickable overlays that lead to external URLs.

The builder also supports JavaScript actions triggered when a document is opened or interacted with, creating a convincing sense of authenticity while executing malicious redirections. Because the PDFs contain no embedded malware, only links, they can evade scanning engines and pass through services like Gmail.

When users click within the PDF, the file opens a browser window leading to a phishing page or malware download, all under the guise of normal user activity.

MatrixPDF’s design exposes a significant weakness in how email platforms treat interactive PDF files. Gmail, for example, allows links and annotations but not active JavaScript, enabling attackers to deliver credible phishing content without detection.

Varonis cautions that this approach leverages user trust in PDFs and the permissive behavior of many email clients.

Attorneys should pass the firm’s recommendations on to their clients: Implement AI-driven security solutions capable of examining document structures and identifying blurred overlays and sandbox-embedded URLs. This will detect these PDF-based phishing tactics before they reach end users.