Over 400 billion PDF files were opened last year, and 16 billion documents were edited in Adobe Acrobat.  Over 87% of organizations use PDFs as a standard file format for business communication, making them ideal vehicles for attackers to hide malicious code. Malicious PDFs have been cyber criminals’ favorite gateways for years but have now become even more popular.

While 68% of malicious attacks are delivered through email, PDF-based attacks now account for 22% of all malicious email attachments, according to Check Point Research. This makes them particularly insidious for businesses that share large quantities of these files in the course of daily work. Threat actors have begun leveraging their deep understanding of how security providers scan and analyze files, and PDFs are becoming a preferred entry point due to their high success rate.

Threat actors use sophisticated countermeasures to bypass detection, making these attacks increasingly hard to spot – and stop. Check Point Research (CPR) has monitored vast quantities of malicious campaigns going undetected by traditional security vendors, with zero detections in VirusTotal for the past year.

In this blog, we’ll explore the evolving tactics behind PDF-based attacks, how they slip past conventional security measures, and how Check Point’s Threat Emulation provides real-time, zero day protection against these elusive threats, blocking attack chains originating from PDFs before they can cause harm.

Understanding Why PDFs Are a Prime Target for Cyber Criminals

PDFs are quite complex. The PDF specification, ISO 32000, spans nearly 1,000 pages, providing a wealth of features that can be exploited for evasion. This complexity opens the door to numerous attack vectors that some security systems are ill-equipped to detect. In many ways, PDFs act like CAPTCHA tests. They are designed to lure human victims while being evasive to automated detection systems. This unique combination of simplicity for the user and complexity for security systems is what makes malicious PDFs so attractive to bad actors.

Malicious PDFs have evolved in their sophistication in recent years. In the past, cyber criminals used known vulnerabilities in PDF readers (CVEs) to exploit flaws in the software. However, as PDF readers have become more secure and are frequently updated (especially browsers which now open PDFs by default), this attack method is less reliable for mass campaigns.

Attacks relying on JavaScript or other dynamic content embedded within PDFs – while still prevalent – have become less common. JavaScript-based attacks tend to be “noisy” and are more easily detected by security solutions. Check Point Research found that most so-called “exploits” based on JavaScript were unreliable across different PDF readers, with many security vendors able to catch them.

As with all things, when one door closes, another opens, and threat actors have been forced to shift tactics. Rather than using complex exploits, many attacks now rely on a simpler, yet effective approach—social engineering.

Cyber criminals often turn to PDFs for phishing because the format is widely regarded as safe and reliable. These files, typically perceived as genuine documents, serve as flexible containers for hiding harmful links, code, or other malicious content. By taking advantage of users’ familiarity with PDF attachments and employing social engineering tactics, attackers boost their chances of deceiving recipients. Furthermore, PDFs can slip past email security systems that are more focused on flagging threats in other types of files.

We share some examples of attacks, where the PDF contains a link that leads to a malicious website or a phishing page. While this technique is relatively low-tech, its simplicity makes it harder for automated systems to detect. The attacker’s goal is to get the victim to click the link, thus starting the attack chain.

The Anatomy of a PDF Attack Campaign

One of the most common PDF attack techniques Check Point Research has observed in the wild is link-based campaigns. These campaigns are simple yet incredibly effective. They typically involve a PDF that contains a link to a phishing site or a malicious file download. Often, the link is accompanied by an image or a piece of text designed to lure the victim into clicking it. These images often mimic trusted brands like Amazon, DocuSign, or Acrobat Reader, making the file look benign at first glance.

What makes these campaigns difficult to detect is that the attackers control all aspects of the link, the text, and the image, making it easy to change any of these elements. This flexibility allows these attacks to be resilient against reputation-based security tools or those that rely on static signatures. Even though these attacks involve human interaction (the victim must click the link), this is often an advantage for attackers, as sandboxes and automated detection systems struggle with tasks that require human decision-making.

Evasion Techniques Used by Threat Actors

Malicious actors continuously adapt their techniques to evade detection by security systems. These techniques show a deep understanding of how different detection methods work, and they are often tailored to bypass specific tools.

URL Evasion Techniques

The most obvious clue that a PDF might be malicious is the link it contains. To avoid detection, threat actors use a range of URL evasion techniques, such as:

  • Using benign redirect services: Attackers often use well-known redirect services, such as Bing, LinkedIn, or Google’s AMP URLs, to mask the true destination of the malicious link. These services are often whitelisted by security vendors, which makes it harder for URL reputation-based systems to detect the threat.
  • QR codes: Another technique involves embedding QR codes in PDFs, which the victim is encouraged to scan with their phone. This approach bypasses traditional URL scanners entirely and adds an extra layer of complexity to the attack.
  • Phone scams: In some cases, attackers rely on social engineering to prompt victims to call a phone number. This approach completely eliminates the need for a suspicious URL but requires significant human interaction.

Static Analysis Evasion

PDFs have a complex structure, and many security tools rely on static analysis to detect malicious activity. However, this method is not always effective against sophisticated PDF-based attacks. Attackers can obfuscate the contents of the file, making it harder for security tools to analyze it.

For example, PDFs use annotations to define clickable areas (such as links), but these annotations can be encoded in ways that are difficult for static analysis tools to recognize. Attackers might even exploit the slight differences between how PDF readers interpret these annotations, causing automated systems to miss the malicious intent.

File Obscurement

PDFs can be heavily obfuscated, making it difficult to detect malicious behavior. Attackers often use encryption, filters, and indirect objects to hide their true intentions. While these techniques can make the file appear corrupt or suspicious, many common PDF readers are designed to prioritize robustness over strict adherence to the PDF specification, allowing such files to open correctly for the user but fail detection by automated systems.

Machine Learning Evasions

As security systems increasingly rely on machine learning (ML) to detect threats, attackers are finding ways to evade these models. One common technique is embedding text in images rather than using standard text formats, forcing security systems to rely on optical character recognition (OCR) to extract the text, making it more prone to errors and delays. Attackers may even manipulate the images, using low-quality files or altering characters in subtle ways to confuse OCR software.

In addition to this, attackers may add invisible or extremely small text to deceive Natural Language Processing (NLP) models, making it harder for security systems to understand the document’s true intent.

How to Stay Safe from PDF-Based Attacks

Check Point Threat Emulation and Harmony Endpoint deliver robust protection against diverse attack tactics, file types, and operating systems, defending against various threats as detailed in this report.

However, here are some practical steps everyone can take to reduce risk:

  • Always Verify the Sender

Even if the PDF looks legitimate, double-check the sender’s email address. Cyber criminals often spoof well-known brands or colleagues to trick you into trusting the file.

  • Be Cautious with Attachments

If you weren’t expecting a PDF — especially one prompting you to click a link, scan a QR code, or call a number — treat it as suspicious. When in doubt, don’t click the link or document.

  • Hover Before You Click

Before clicking any link in a PDF, hover over it to see the full URL. Be cautious of shortened links or those using redirect services like Bing, LinkedIn, or Google AMP.

  • Use a Secure PDF Viewer

Modern browsers and PDF readers often have built-in security features. Keep them current and avoid opening PDFs in obscure or outdated software.

  • Disable JavaScript in PDF Viewers

If your PDF reader supports JavaScript (many do), disable it unless absolutely necessary. This reduces the risk of script-based exploits.

  • Keep Systems and Security Tools Updated

Ensure your operating system, browser, and antivirus software are regularly updated. Patches often close vulnerabilities exploited in malicious PDFs.

  • Trust Your Gut

If a PDF seems too good to be true, has unusual formatting and typos, or asks for credentials, it’s likely a trap.

You may also like