Varonis researchers have identified MatrixPDF, a commercial builder that converts legitimate PDF files into interactive phishing decoys. The tool leverages native PDF capabilities—rather than embedded executables—to route users to credential‑harvesting sites or malware downloaders, enabling emails to evade common gateway checks and reach inboxes, including Gmail.
What is MatrixPDF: features, positioning, and pricing
Marketed as a “phishing simulator” and a tool for black‑team exercises, MatrixPDF has been observed on underground forums. Its pitch highlights drag‑and‑drop PDF import, live preview, custom overlays, and built‑in “safety” features such as content blurring, controlled redirects, metadata encryption, and an advertised Gmail filter bypass. Reported pricing ranges from $400 per month to $1,500 per year, signaling an accessible, commercialized offering rather than a bespoke toolkit.
How attacks are assembled: overlays, annotations, and JavaScript Actions
The builder workflow starts with a clean, trusted PDF. Operators add a visual layer—commonly a blur over the original content—then place a conspicuous button such as “Open Secure Document”. Clicking the overlay triggers a redirect to an attacker‑controlled URL hosting a phishing page or a downloader. The redirection logic relies on standard PDF constructs, including annotations and JavaScript Actions that fire on open or click. Because these are native PDF actions (e.g., /OpenAction, /AA with URI links) and do not embed executable binaries, the payload resides off‑document.
Why Gmail still delivers these PDF attachments
Testing indicates MatrixPDF‑crafted files land in Gmail inboxes. Gmail’s in‑browser PDF viewer does not execute JavaScript inside PDFs, but it allows users to follow hyperlinks embedded in annotations. As a result, the platform registers a user‑initiated web request rather than automatic code execution. Attempts to auto‑run actions when the file opens are more likely to surface warnings in modern PDF readers, which reduces conversion, so actors often rely on enticing overlays to prompt clicks.
Why PDF phishing continues to work
PDF is a high‑trust document format in enterprise communications, renders consistently across devices, and frequently opens directly in the browser. This inherent credibility lowers user suspicion and increases click‑through rates on embedded elements. Industry reporting, including the Verizon Data Breach Investigations Report 2024, shows the human element remains pivotal—over two‑thirds of breaches involve user interaction—with social engineering and phishing among the leading initial access vectors.
Detection gaps: evasion by design
Traditional email security controls focus on embedded executables, malicious macros, and signature‑based detections. With MatrixPDF, malicious logic is offloaded to external web infrastructure, while the PDF contains only “benign” hyperlinks and annotations. This design shifts detection to the moment of user click or to downstream network defenses, reducing the efficacy of static attachment scanning alone.
Mitigation strategies for email and PDF phishing
Deep PDF inspection at the gateway. Parse PDF structure for Actions (/OpenAction, /AA), annotations (/Annot), form buttons, and URI links. Quarantine or rewrite documents containing external links, with heightened scrutiny for new or low‑reputation domains.
Adopt CDR (Content Disarm & Reconstruction). Flatten PDFs to passive versions, stripping JavaScript, form elements, and redirections while preserving visual fidelity to reduce risk from active content.
Harden PDF viewer policies. Disable JavaScript, block auto‑executing actions, and limit external link navigation using GPO/MDM. Enforce “open in protected mode” where available.
Control egress and monitor processes. Apply DNS/HTTP(S) filtering for categories like “newly observed domains” and “phishing,” and use TLS inspection per policy. Monitor events where AcroRd32.exe or a browser is spawned from a PDF process and initiates outbound connections.
Strengthen user awareness. Train users to be skeptical of “secure document” prompts, blurred content overlays, and urgent call‑to‑action buttons like Open/Access Secure Document. Conduct periodic phishing simulations that include PDF‑based lures.
Enhance response workflows. Enable rapid message recall, domain/URL blocking, IOC sharing with the SOC, and retrospective searches across mailboxes and proxy logs to identify exposure and affected users.
MatrixPDF underscores how adversaries weaponize standard PDF features to bypass legacy email filtering and pivot risk to the click. Organizations can blunt these campaigns by combining deep attachment inspection, CDR, hardened viewer configurations, and layered network controls with ongoing user education. Treat any PDF with external links as active content, reduce default trust in “secure document” prompts, and ensure rapid response to suspicious messages to minimize impact.
