Opened a PDF from Gmail? Congratulations, MatrixPDF has already connected to the hacker's server. Even without your click.
The prompt "Open protected document" has never been so dangerous.
The prompt "Open protected document" has never been so dangerous.
Researchers from Varonis have reported the emergence of a new toolset called MatrixPDF, which allows threat actors to turn ordinary PDF files into interactive phishing lures. These files can bypass email filters and redirect victims to sites for credential theft or malware downloads. MatrixPDF was first spotted on a cybercrime forum, where the author distributed it via Telegram.
The developer positions MatrixPDF as a tool for "phishing simulations" and "red team" work as part of penetration testing. However, according to Varonis, in practice, the utility is being used to create real attack scenarios. The tool's advertisement itself highlights its professional features: drag-and-drop PDF import, real-time preview, and customization of the interface and visual elements, including blurred content overlays and interactive buttons.
MatrixPDF places special emphasis on bypassing defenses. The tool allows the embedding of JavaScript actions into PDF documents that trigger when the file is opened or when a user clicks on specific elements. For example, instead of standard text, a blurred field with a button labeled "Open protected document" may be displayed. Clicking it leads to an external resource hosting a phishing site or a malicious loader.
MatrixPDF also offers built-in obfuscation methods: metadata encryption, an authentication-bypassing redirect mechanism, and even the ability to circumvent Gmail filters. Varonis's research showed that such PDFs are indeed delivered to Gmail inboxes, as they contain no executable files—only links. Within the Gmail preview, JavaScript does not execute, but clickable elements remain active, making the attack particularly effective. The attacker designs the PDF so that the button looks like an expected element, and Gmail perceives the click as a user action, not malicious activity.
Varonis also demonstrated a scenario where the mere act of opening the PDF initiates a connection attempt to a remote resource. Although modern readers warn about such activity, this does not always stop the user—especially if the document is visually crafted to look like an official or protected file.
MatrixPDF is distributed via subscription: from $400 per month to $1500 for annual access. Forum posts indicate that the toolkit is actively supported and receives updates, making it attractive to cybercriminals looking to automate phishing under the guise of legitimate documentation.
PDF documents remain one of the most popular carriers in phishing attacks. Their widespread use, user trust, and the lack of system warnings when opening them make this format an ideal shell for malicious attachments. Even if the document itself is "clean," embedded links to external sites easily bypass antivirus scans and security filters.
Varonis emphasizes that traditional security measures are often powerless against this technique. However, more advanced solutions based on artificial intelligence, which analyze PDF structure, identify fake visual elements, and simulate user behavior in a sandbox, can effectively block such threats before they reach the victim's inbox.
