A new phishing and malware distribution toolkit called MatrixPDF allows attackers to convert ordinary PDF files into interactive lures that bypass email security and redirect victims to credential theft or malware downloads.
The new tool was spotted by Varonis researchers, who told BleepingComputer that MatrixPDF was first spotted on a cybercrime forum. The seller also uses Telegram as an additional means of interacting with buyers.
The developer of MatrixPDF promotes the tool as a phishing simulation and blackteaming tool. However, Varonis researcher Daniel Kelley told BleepingComputer that it was first seen being offered on cybercrime forums.
“MatrixPDF: Document Builder – Advanced PDF Phishing with JavaScript Actions is an elite tool for crafting realistic phishing simulation PDFs tailored for black teams and cybersecurity awareness training,” reads an advertisement shared with BleepingComputer.
“With drag-and-drop PDF import, real-time preview, and customizable security overlays, MatrixPDF delivers professional-grade phishing scenarios.”
“Build-in protections-such as content blur, secure redirect mechanism, metadata encryption, and Gmail bypass-ensure authenticity and reliable delivery in testing environments.”
The tool is offered under various pricing plans, ranging from $400 per month to $1,500 for an entire year.
Source: Varonis
The MatrixPDF phishing toolkit
A new report by Varonis explains that the MatrixPDF builder enables attackers to upload a legitimate PDF as a lure and then add malicious features, such as blurred content, fake “Secure Document” prompts, and clickable overlays that lead to an external payload URL.
Source: Varonis
MatrixPDF can also embed JavaScript actions that are triggered when a user opens a document or when the victims click on a button. This JavaScript will attempt to open a website or perform other malicious actions.
The blurred content features enable the threat actor to create PDFs that appear to contain protected, blurred content and include an “Open Secure Document” button. Clicking the document opens a website that can be used to host phishing pages or distribute malware.
A test by Varonis demonstrates how the malicious PDFs were able to be sent to a Gmail account, bypassing phishing filters. This is because the generated PDFs do not contain malicious binaries and only external links.
“Gmail’s PDF viewer does not execute PDF JavaScript but allows clickable links/annotations,” explains Varonis.
“Thus, the attacker’s PDF is created so the button press simply opens an external site in the user’s browser. This somewhat clever design works around Gmail’s security: any malware scanning of the PDF itself finds nothing incriminating, and the actual malicious content is only fetched once the user actively clicks, appearing to Gmail as a user-initiated web request.”
Another demonstration shows how simply opening the malicious PDF attempts to open an external site. This feature is somewhat limited, as modern PDF viewers will alert the user that the PDF is trying to connect to a remote site.
Varonis warns that PDFs are a popular vehicle for phishing attacks because they are commonly used, and email platforms can display them without warning.
The company says that AI-driven email security, which analyzes PDF structure, detects blurred overlays and fake prompts, and detonates embedded URLs in a sandbox, can help block these files from reaching target’s inbox.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
