Gmail’s Malicious Document Classifier Can Still Be Trivially Evaded

Yizheng Chen
3 min readDec 10, 2020


Gmail has improved its malicious document classifier using deep learning recently. It can now detect many insertion-only attacks that generate PDF malware variants, including adding padding to the file and adding benign textbook pages. However, I found that by making trivial deletion within malicious PDFs, one can still evade Gmail’s classifier.

I obtained some new PDF malware from VirusTotal’s November 2020 dataset, detected by many Anti-Virus products and Gmail as malicious.

For example, this PDF file lures user into clicking “I’m not robot” on the first page, which opens a phishing webpage. The phishing PDF also shows some additional PDF links at the bottom of the second page. A user is probably more likely to click on the image on the first page because of browsing habits, whereas the links from the second page are more subtle.

The first page (left) and the second page (right) of the phishing PDF.

I tried deleting all links on the second page (the corresponding /Root/Pages/Kids/Annots objects), but I kept everything from the first page. This essentially preserved the phishing logic and its URL. Unfortunately, doing this can evade Gmail’s malicious document classifier. As shown below, Gmail can detect the original malware (left), but not the variants (right). By manually checking the behavior of PDF variants, I confirmed that this worked for all 57 phishing PDFs to evade Gmail.

I noticed that the phishing URLs in the PDFs are not detected by Google Safe Browsing. What if we replace that with an active phishing URL that Google can already detect? So I found this URL from PhishTank that pretends to be Amazon Japan, which can be detected by Google Safe Browsing.

Switched the URL in the PDF with an online phishing URL that disguises as Amazon Japan.

I replaced the phishing URL in the PDF with this one. Unfortunately, Gmail still cannot detect it as malicious. Despite the improvements, Gmail’s malicious document classifier can still be trivially evaded.

This attack only deletes one subtree in the /Root/Pages/Kids array, which is covered by the Subtree Deletion Property we proposed in the USENIX Security paper. Since PDF files can be parsed as trees, we proposed robustness properties using a new tree distance to capture building-block attacks that generate syntactically-correct malware variants. Training PDF malware classifiers with combinations of robustness properties can eliminate trivial evasion attacks, and make it harder for sophisticated attacks to succeed. We hope this shows a promising direction to raise the bar for the attackers.