The Weaponisation of PDFs : 68% of Cyberattacks begin in you inbox, with 22% of these hiding in PDFs

Over 400 billion PDF were opened last year, and 16 billion documents were edited in Adobe Acrobat.  Over 87% of organisations use PDFs as a standard file format for business communication, making them ideal vehicles for attackers to hide malicious code. Cybercriminals often turn to PDFs for phishing because the format is widely regarded as safe and reliable.

While 68% of malicious attacks are delivered through email, PDF-based attacks now account for 22% of all malicious email attachments, according to Check Point Research. This makes them particularly insidious for businesses that share large quantities of these files in the course of daily work. Threat actors have begun leveraging their deep understanding of how security providers scan and analyse files, and PDFs are becoming a preferred entry point due to their high success rate.

Threat actors use sophisticated countermeasures to bypass detection, making these attacks increasingly hard to spot – and stop. Check Point Research (CPR) has monitored vast quantities of malicious campaigns going undetected by traditional security vendors, with zero detections in VirusTotal for the past year.

This article explores the evolving tactics behind PDF-based attacks, how they slip past conventional security measures, and how Check Point's Threat Emulation provides real-time, zero-day protection against these elusive threats, blocking attack chains originating from PDFs before they can cause harm.

Understanding Why PDFs Are a Prime Target for Cybercriminals

PDFs are quite complex. The PDF specification, ISO 32000, spans nearly 1,000 pages, providing a wealth of features that can be exploited for evasion. This complexity opens the door to numerous attack vectors that some security systems are ill-equipped to detect. In many ways, PDFs act like CAPTCHA tests. They are designed to lure human victims while being evasive to automated detection systems. This unique combination of simplicity for the user and complexity for security systems is what makes malicious PDFs so attractive to bad actors.

Malicious PDFs have evolved in their sophistication in recent years. In the past, cyber criminals used known vulnerabilities in PDF readers (CVEs) to exploit flaws in the software. However, as PDF readers have become more secure and are frequently updated (especially browsers which now open PDFs by default), this attack method is less reliable for mass campaigns.

Attacks relying on JavaScript or other dynamic content embedded within PDFs – while still prevalent – have become less common. JavaScript-based attacks tend to be "noisy" and are more easily detected by security solutions. Check Point Research found that most so-called "exploits" based on JavaScript were unreliable across different PDF readers, with many security vendors able to catch them.

As with all things, when one door closes, another opens, and threat actors have been forced to shift tactics. Rather than using complex exploits, many attacks now rely on a simpler, yet effective approach—social engineering.

PDF files are typically perceived as genuine documents, serving as flexible containers for hiding harmful links, code, or other malicious content. By taking advantage of users' familiarity with PDF attachments and employing social engineering tactics, attackers boost their chances of deceiving recipients. Furthermore, PDFs can slip past email security systems that are more focused on flagging threats in other types of files.

Check Point Research shares some examples of attacks, where the PDF contains a link that leads to a malicious website or a phishing page. While this technique is relatively low-tech, its simplicity makes it harder for automated systems to detect. The attacker's goal is to get the victim to click the link, thus starting the attack chain.
The Anatomy of a PDF Attack Campaign
One of the most common PDF attack techniques Check Point Research has observed in the wild is link-based campaigns. These campaigns are simple yet incredibly effective. They typically involve a PDF that contains a link to a phishing site or a malicious file download. Often, the link is accompanied by an image or a piece of text designed to lure the victim into clicking it. These images often mimic trusted brands like Amazon, DocuSign, or Acrobat Reader, making the file look benign at first glance.

What makes these campaigns difficult to detect is that the attackers control all aspects of the link, the text, and the image, making it easy to change any of these elements. This flexibility allows these attacks to be resilient against reputation-based security tools or those that rely on static signatures. Even though these attacks involve human interaction (the victim must click the link), this is often an advantage for attackers, as sandboxes and automated detection systems struggle with tasks that require human decision-making.

Evasion Techniques Used by Threat Actors
Malicious actors continuously adapt their techniques to evade detection by security systems. These techniques show a deep understanding of how different detection methods work, and they are often tailored to bypass specific tools.
1. URL Evasion Techniques

The most obvious clue that a PDF might be malicious is the link it contains. To avoid detection, threat actors use a range of URL evasion techniques, such as:

    Using benign redirect services: Attackers often use well-known redirect services, such as Bing, LinkedIn, or Google's AMP URLs, to mask the true destination of the malicious link. These services are often whitelisted by security vendors, which makes it harder for URL reputation-based systems to detect the threat.

    QR codes: Another technique involves embedding QR codes in PDFs, which the victim is encouraged to scan with their phone. This approach bypasses traditional URL scanners entirely and adds an extra layer of complexity to the attack.

    Phone scams: In some cases, attackers rely on social engineering to prompt victims to call a phone number. This approach completely eliminates the need for a suspicious URL but requires significant human interaction.

2. Static Analysis Evasion
PDFs have a complex structure, and many security tools rely on static analysis to detect malicious activity. However, this method is not always effective against sophisticated PDF-based attacks. Attackers can obfuscate the contents of the file, making it harder for security tools to analyse it.

For example, PDFs use annotations to define clickable areas (such as links), but these annotations can be encoded in ways that are difficult for static analysis tools to recognise. Attackers might even exploit the slight differences between how PDF readers interpret these annotations, causing automated systems to miss the malicious intent.
3. File Obscurement

PDFs can be heavily obfuscated, making it difficult to detect malicious behavior. Attackers often use encryption, filters, and indirect objects to hide their true intentions. While these techniques can make the file appear corrupt or suspicious, many common PDF readers are designed to prioritise robustness over strict adherence to the PDF specification, allowing such files to open correctly for the user but fail detection by automated systems.
4. Machine Learning Evasions

As security systems increasingly rely on machine learning (ML) to detect threats, attackers are finding ways to evade these models. One common technique is embedding text in images rather than using standard text formats, forcing security systems to rely on Optical Character Recognition (OCR) to extract the text and making it more prone to errors and delays. Attackers may even manipulate the images, using low-quality files or altering characters in subtle ways to confuse OCR software.

In addition to this, attackers may add invisible or extremely small text to deceive Natural Language Processing (NLP) models, making it harder for security systems to understand the document's true intent.

How to Stay Safe from PDF-Based Attacks

Check Point Threat Emulation and Harmony Endpoint deliver robust protection against diverse attack tactics, file types, and operating systems, defending against various threats as detailed in this report.

However, here are some practical steps everyone can take to reduce risk:

    Always Verify the Sender

Even if the PDF looks legitimate, double-check the sender's email address. Cybercriminals often spoof well-known brands or colleagues to trick you into trusting the file.

    Be Cautious with Attachments

If you weren't expecting a PDF — especially one prompting you to click a link, scan a QR code, or call a number — treat it as suspicious. When in doubt, don't click the link or document.

    Hover Before You Click

Before clicking any link in a PDF, hover over it to see the full URL. Be cautious of shortened links or those using redirect services like Bing, LinkedIn, or Google AMP.

    Use a Secure PDF Viewer

Modern browsers and PDF readers often have built-in security features. Keep them current and avoid opening PDFs in obscure or outdated software.

    Disable JavaScript in PDF Viewers

If your PDF reader supports JavaScript (many do), disable it unless absolutely necessary. This reduces the risk of script-based exploits.

    Keep Systems and Security Tools Updated

Ensure your operating system, browser, and antivirus software are regularly updated. Patches often close vulnerabilities exploited in malicious PDFs.

    Trust Your Gut

If a PDF seems too good to be true, has unusual formatting and typos, or asks for credentials, it's likely a trap.

Follow Check Point via:

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

Twitter: https://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: https://blog.checkpoint.com

YouTube: https://www.youtube.com/user/CPGlobal

About Check Point Research  

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyses global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

About Check Point Software Technologies Ltd.  

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading AI-powered, cloud-delivered cyber security platform provider protecting over 100,000 organisations worldwide. Check Point leverages the power of AI everywhere to enhance cyber security efficiency and accuracy through its Infinity Platform, with industry-leading catch rates enabling proactive threat anticipation and smarter, faster response times. The comprehensive platform includes cloud-delivered technologies consisting of Check Point Harmony to secure the workspace, Check Point CloudGuard to secure the cloud, Check Point Quantum to secure the network, and Check Point Infinity Platform Services for collaborative security operations and services.

 

Legal Notice Regarding Forward-Looking Statements  

This press release contains forward-looking statements. Forward-looking statements generally relate to future events or our future financial or operating performance. Forward-looking statements in this press release include, but are not limited to, statements related to our expectations regarding future growth, the expansion of Check Point's industry leadership, the enhancement of shareholder value and the delivery of an industry-leading cyber security platform to customers worldwide. Our expectations and beliefs regarding these matters may not materialise, and actual results or events in the future are subject to risks and uncertainties that could cause actual results or events to differ materially from those projected. The forward-looking statements contained in this press release are also subject to other risks and uncertainties, including those more fully described in our filings with the Securities and Exchange Commission, including our Annual Report on Form 20-F filed with the Securities and Exchange Commission on April 2, 2024. The forward-looking statements in this press release are based on information available to Check Point as of the date hereof, and Check Point disclaims any obligation to update any forward-looking statements, except as required by law.