Shayimamba Conco | Cyber Security Evangelist | Check Point Software Technologies | mail me |
Over 400 billion PDFs were opened last year. Adobe Acrobat users alone edited 16 billion documents. Today, more than 87% of organisations rely on PDFs for business communication. This widespread use makes them ideal for hiding malicious code.
Cybercriminals frequently exploit Portable Document Format (PDFs) for phishing because many still regard the format as safe and trustworthy.
Although 68% of malicious attacks arrive through email, PDF-based threats now account for 22% of all malicious email attachments, according to our esearch. These threats are particularly dangerous in organisations that share large volumes of PDF files daily.
Attackers understand how security providers analyse files, and they now favour PDFs due to their high success rate. They use advanced evasion tactics to bypass detection. These PDF-based attacks have become harder to identify and stop. Our research has tracked large volumes of malicious campaigns that traditional security vendors fail to detect. Some of these campaigns received zero detections on VirusTotal over the past year. In other words, the stealthy attack chain of PDF files is evolving rapidly.
Why PDFs are a prime target for cybercriminals
PDFs are complex documents. The PDF specification (ISO 32000) spans nearly 1,000 pages, offering many features attackers can manipulate to evade detection. This complexity opens multiple attack paths. Many security systems are not equipped to handle this level of sophistication.
In many ways, PDFs behave like CAPTCHA tests. They appeal to human users while evading automated detection. This blend of user-friendliness and analytical complexity is exactly what makes them attractive to attackers.
Over time, malicious PDFs have become more sophisticated. Initially, attackers relied on known software vulnerabilities (CVEs) in PDF readers. However, updates and default browser readers have made this method less effective for widespread campaigns.
Although JavaScript-based attacks within PDFs still occur, they are less frequent. These attacks are “noisy” and easier to catch. Our research found that many so-called JavaScript exploits failed across various readers, and most were detected by security vendors. Yet, attackers have adapted. When one method fails, they find another. Increasingly, they now use social engineering. Rather than exploit software flaws, they target human behaviour.
PDFs still appear trustworthy. They are versatile containers that can hide harmful links or code. Because users are so familiar with PDF attachments, they rarely question them. Attackers exploit this comfort, using social engineering to trick users. In addition, PDFs often bypass email security systems that are tuned to flag other file types.
The stealthy attack chain of PDF files continues to evolve. In many cases, PDFs contain links to phishing sites or malware. Although this method is simple, its low-tech nature helps it avoid automated detection. The attacker’s main objective is to get the user to click.
Understanding the stealthy attack chain of PDF files
One common technique we have documented is the link-based PDF campaign. These campaigns are simple but very effective.
Attackers embed a link to a phishing page or malware download inside a PDF. They usually pair the link with an image or message that entices the user to click. These visuals often mimic well-known brands like Amazon, DocuSign or Acrobat Reader.
Such campaigns are hard to detect because attackers control every element of the link, text and image. They can change the design or domain easily, helping the attack evade reputation-based security tools or signature-based systems. Even though the victim must click, this human factor helps attackers bypass automated systems like sandboxes, which cannot mimic human decisions.
Evasion techniques used by threat actors
Attackers constantly refine their evasion methods to stay ahead of detection systems. They tailor techniques to bypass specific tools.
-
URL evasion techniques
The most obvious warning sign in a PDF is the embedded link. Attackers use several methods to hide it:
-
- Redirect services – they mask malicious URLs using platforms like Bing, LinkedIn, or Google AMP, which are often whitelisted by security vendors.
- QR codes – some PDFs use QR codes that victims scan with their phones. This tactic bypasses traditional scanners.
- Phone scams – attackers may encourage victims to call a number instead of clicking a link. This eliminates digital trails but requires more user interaction.
-
Static analysis evasion
Many detection tools rely on static file analysis. But PDF structure is too complex for static methods alone. Attackers encode links in ways that hide their true nature. They exploit how PDF readers interpret annotations differently, tricking systems into overlooking harmful content.
-
File obscurement
Attackers also encrypt or obscure PDF content using filters and indirect objects. These files may appear damaged or suspicious, yet most PDF readers open them without issue. They prioritise usability over strict format compliance, letting malicious files slip through.
-
Machine learning evasions
To trick AI-based detection, attackers embed text in images instead of using standard formats. This forces systems to rely on Optical Character Recognition (OCR), which can miss or misread content. They also manipulate images to confuse OCR and NLP tools. Some embed invisible or minuscule text to deceive language models.
How to stay safe from PDF-based attacks
The Threat Emulation and Harmony Endpoint offer real-time protection against PDF-based threats. They guard across operating systems, file types and delivery methods.
However, individuals must also adopt smart habits:
- Verify senders – Always check the sender’s email address, even if the PDF seems legitimate.
- Be cautious with unexpected files – Do not click links in unsolicited PDFs, especially those asking you to scan QR codes or call a number.
- Hover over links – Preview full URLs before clicking. Be wary of shortened or redirected links.
- Use secure PDF viewers – Update your browser and reader regularly. Avoid using outdated or obscure tools.
- Disable JavaScript – Turn off JavaScript in PDF readers unless necessary.
- Update systems – Keep your operating system and antivirus tools current to patch known vulnerabilities.
- Trust your instincts – Suspicious formatting, typos or requests for personal data are red flags.
