A new phishing toolkit, MatrixPDF , has been discovered that allows attackers to transform ordinary PDF files into interactive decoys that bypass email security and redirect victims to websites that steal credentials or download malware.
Varonis researchers, who discovered the tool, note that MatrixPDF is advertised as a phishing simulator and a solution for black team specialists . However, they emphasize that it was first discovered on hacker forums.
” MatrixPDF: An advanced tool for creating realistic phishing PDFs, designed for black-team teams and cybersecurity training,” the announcement reads. “With drag-and-drop PDF import, real-time preview, and customizable overlays, MatrixPDF enables you to create professional-grade phishing scenarios. Built-in security features such as content blurring, secure redirects, metadata encryption, and Gmail bypass ensure reliability and deployment in test environments.”
The toolkit is available with several pricing plans, ranging from $400 per month to $1,500 per year.
The researchers explain that the MatrixPDF builder allows attackers to upload a legitimate PDF file and then add malicious features to it, such as content obfuscation, fake “Protected Document” prompts , and clickable overlays that point to an external URL with the payload.
Additionally, MatrixPDF enables JavaScript actions, which are triggered when a user opens a document or clicks a button. In this case, the JavaScript code attempts to open a website or perform other malicious actions.
The blur feature creates PDF files whose content appears protected, blurred, and contains an ” Open Protected Document ” button. Clicking this button opens a website that can be used to steal credentials or distribute malware .
A test conducted by specialists has shown that malicious PDFs created using MatrixPDF can be sent to a Gmail inbox and that the emails bypass anti-phishing filters . This is because these files do not contain malicious binaries, but only external links.
Another test conducted by researchers shows that simply opening a malicious PDF opens an external website. This functionality is more limited, as modern PDF viewers warn the user that the file is attempting to connect to a remote site.
Varonis experts remind us that PDF files remain a popular tool for phishing attacks because they are widely distributed and email platforms can display them without warning.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
