New MatrixPDF toolkit turns PDFs into phishing and malware lures

A new phishing and malware distribution toolkit called MatrixPDF allows attackers to convert ordinary PDF files into interactive lures that bypass email security and redirect victims to credential theft or malware downloads.

A new report by Varonis explains that the MatrixPDF builder enables attackers to upload a legitimate PDF as a lure and then add malicious features, such as blurred content, fake “Secure Document” prompts, and clickable overlays that lead to an external payload URL.

MatrixPDF can also embed JavaScript actions that are triggered when a user opens a document or when the victims click on a button. This JavaScript will attempt to open a website or perform other malicious actions.

“Gmail’s PDF viewer does not execute PDF JavaScript but allows clickable links/annotations,” explains Varonis. “Thus, the attacker’s PDF is created so the button press simply opens an external site in the user’s browser. This somewhat clever design works around Gmail’s security: any malware scanning of the PDF itself finds nothing incriminating, and the actual malicious content is only fetched once the user actively clicks, appearing to Gmail as a user-initiated web request.”

To read the complete article see: New MatrixPDF toolkit turns PDFs into phishing and malware lures