- MatrixPDF phishing kit weaponizes PDFs using embedded JavaScript and redirect mechanisms
- It mimics legitimate tools, offering drag-and-drop import, content blur, and Gmail bypass features
- To stay safe, disable JavaScript, avoid suspicious PDFs, and use advanced email security tools
A new PDF phishing kit is being sold on the dark web, promising customers advanced features, a simple interface, and competitive pricing, experts have warned.
Security researchers from Varonis spotted MatrixPDF, an advanced solution being advertised as a legitimate tool, despite being circulated around the dark web.
Its full name is MatrixPDF: Document Builder – Advanced PDF Phishing with JavaScript Actions. It is being advertised as an “elite tool for crafting realistic simulation PDFs tailored for black teams and cybersecurity awareness training.”
How to defend
“With drag-and-drop PDF import, real-time preview, and customizable security overlays, MatrixPDF delivers professional-grade phishing scenarios,” the ad reads.
“Built-in protections-such as content blur, secure redirect mechanism, metadata encryption, and Gmail bypass-ensure authenticity and reliable delivery in testing environments.”
With MatrixPDF, users can add a URL to the PDF, to which the victims will be redirected.
They can add titles, custom icons, and blur the content to look like it is “protected” against unauthenticated viewers. But its key feature is embedding JavaScript.
Users can toggle on JavaScript actions inside the PDF, which are triggered when the file is either opened or clicked. The payload URL, specified beforehand, can then be opened automatically, as soon as the file is clicked.
MatrixPDF can also be used to simulate system dialogs and display custom alert messages. All these things “effectively turn the PDF into an interactive lure,” the researchers concluded.
The best way to defend from weaponized PDF files is to avoid clicking prompts in unexpected and unsolicited PDF attachments.
This is especially important if the files have “Open Secure Document” buttons or blurred overlays.
Users can also disable JavaScript in the PDF reader which blocks embedded scripts, and ultimately – keep both your email client and PDF reader up to date.
Finally, using advanced email security tools, such as AI-powered filters, can detect suspicious overlays, hidden links, and malicious redirect behaviors.
Via BleepingComputer
