PDFs are the new cyber weapon of choice, warns Check Point report

Check Point Research has raised alarms about a surge in cyberattacks using PDF files as carriers of malicious content. According to the report, while 68% of all cyberattacks originate via email, an alarming 22% of these involve weaponised PDF attachments, making them one of the most dangerous tools in a hacker’s arsenal today.

With over 400 billion PDFs opened last year and 87% of global businesses using them as a standard format, their ubiquity has made them a favoured attack vector. And cybercriminals are becoming more sophisticated, taking advantage of the complex PDF structure and users’ trust in the format to evade traditional detection systems.

“PDFs are deceptively simple for users, but incredibly complex for security tools to analyse thoroughly,” the report notes.

The complexity of the PDF format, defined in a nearly 1,000-page ISO specification, offers numerous loopholes for attackers. PDF attacks have evolved from exploiting vulnerabilities in PDF readers to relying on more subtle methods like social engineering. Today’s threats often embed malicious links or QR codes, hiding them behind what appear to be legitimate invoices, forms, or brand logos.

One common method includes the use of redirect services like Google AMP or LinkedIn links to mask phishing URLs. Others embed QR codes that prompt users to scan them with their phones, thereby bypassing many endpoint security checks altogether.

Attackers are now deploying tactics specifically designed to bypass antivirus and email security tools:

    •    Static Analysis Evasion: Attackers encode links in ways that static scanners can’t interpret correctly.

    •    Obfuscation & Encryption: PDFs are heavily disguised using encryption and filters to avoid raising red flags.

    •    Machine Learning Workarounds: Cybercriminals embed malicious text within images or use invisible text to confuse AI-powered defence tools.

Check Point warns that many of these attack campaigns go undetected by traditional security tools, with some not flagged even once on platforms like VirusTotal for over a year.

The report outlines a typical attack chain: A benign-looking PDF with brand logos contains a link that directs the user to a phishing site or malware download. These elements are so well disguised that automated tools fail to identify them as threats—until it’s too late.

Check Point recommends a mix of vigilance and technology:

    •    Always verify the sender of a PDF.
    •    Avoid clicking unexpected links or scanning QR codes from PDFs.
    •    Use secure PDF viewers and keep them updated.
    •    Disable JavaScript in PDF readers if possible.
    •    Hover over any embedded links to inspect URLs before clicking.
    •    Trust your instincts; if it feels suspicious, it probably is.