A new kit called MatrixPDF is making the rounds among cybercriminals, and its function is as concerning as it is clever: it allows regular PDF files to be transformed into interactive traps designed to steal credentials or install malware—all while bypassing security filters such as those used in email systems.
The tool was identified by security researchers at Varonis, who first detected its presence on a well-known cybercrime forum. According to their findings, MatrixPDF is not only being sold on these platforms but is also actively promoted through Telegram channels, where the developer maintains direct contact with potential buyers.
Although its creator describes it as a solution for phishing simulations or offensive security testing, Varonis experts warn that it is already being used for malicious purposes. From the moment it appeared on underground forums, its true intent was clear: to facilitate covert attacks using a file format most users inherently trust.
MatrixPDF is presented as a high-level tool for generating customized PDF files that realistically simulate phishing scenarios. It is designed for offensive security teams and cybersecurity awareness programs, but its capabilities go far beyond those of a simple document generator.
Among its standout features are an intuitive interface with drag-and-drop functionality, real-time preview, and configurable security overlays. These tools allow for the creation of phishing campaigns that closely mimic real-world situations with a professional level of detail.
Additionally, MatrixPDF includes several features to bypass security barriers, such as blurring sensitive content, controlled redirects, metadata encryption, and specific techniques to evade Gmail filters. This ensures that the files reach their targets even in highly controlled environments.
The tool is sold through various subscription plans, with prices ranging from $400 per month to $1,500 per year, depending on the level of access and features included.
MatrixPDF Pricing (Source: Varonis)
MatrixPDF allows attackers to take a legitimate PDF file and transform it into a decoy designed to deceive the user. The tool makes it possible to add malicious layers such as blurred content, fake “Secure Document” messages, and interactive buttons that redirect to external sites hosting the payload, such as malware or phishing pages.
One of its most powerful features is the ability to embed JavaScript actions, which can be triggered automatically when the file is opened or when the victim clicks on certain elements. These actions can launch malicious websites, redirect to fake forms, or even initiate other unwanted activities without the user noticing.
MatrixPDF Feature Screen
Additionally, the use of blurred content and buttons like “Open Secure Document” gives the file a professional and legitimate appearance, increasing the likelihood that users will interact with it. When clicked, the file redirects the user to an external website, which can facilitate credential theft or malware installation.
In recent tests, files created with MatrixPDF were successfully sent to Gmail accounts, bypassing anti-phishing filters. This is possible because the PDFs do not contain embedded executables or malicious binaries; instead, they include external links disguised as legitimate content, allowing them to go unnoticed.
Read more: Sophos Email: The Best Protection Against Threats in Your Email
Although Gmail does not allow JavaScript code to execute within PDF files, it does allow users to click on links and annotations inside the document. Attackers exploit this by creating PDF files with buttons that, when clicked, simply open an external website directly in the user’s browser.
This method, while simple, manages to bypass many security mechanisms. Since the file does not contain malware directly, automated scanners detect nothing suspicious. The malicious content is only triggered if the user clicks, making it appear as a legitimate user-initiated action—even to platforms like Gmail.
In more aggressive variants, the documents are configured to try to automatically open an external URL as soon as they are opened. However, modern PDF viewers typically display a warning when this occurs, slightly limiting the effectiveness of this automatic approach.
The problem is that PDFs remain a widely used format in everyday communication, especially via email. This makes them an ideal vehicle for phishing campaigns, as many people trust them and open them without a second thought.
One of the most effective ways to combat this threat is through AI-powered security solutions that not only scan visible content but also analyze the internal structure of the file. These tools can detect fake overlays, simulated blurred content, hidden links, and other typical elements of malicious PDF attacks.
TecnetProtect offers an intelligent layer of protection for email. Its technology deeply analyzes each attachment, detects structural anomalies, and detonates suspicious URLs in isolated environments (sandboxing), preventing dangerous files from reaching the end user's inbox.
This kind of proactive approach not only blocks known threats but also anticipates new or customized attacks—a key capability against evasive techniques like those used by MatrixPDF.