MatrixPDF Malware Targets Gmail Users with Malicious PDFs

The new cyber threat, named MatrixPDF, allows attackers to transform regular PDF files into phishing and malware distribution tools, targeting Gmail users.

The malware uses three methods to bypass email filters. Specifically it does this via overlays, clickable prompts and embedded JavaScript, as first detailed by security researchers at Varonis.

“Cybercriminals don’t need to look for new exploits when they can weaponize what people already trust,” the researchers say. PDF files are trusted by users, and attackers exploit that trust to steal credentials or deliver malware.

MatrixPDF modifies actual PDF documents through the by activating deceptive “Secure Document” alerts, content blurring, customized icons, as well as JavaScript execution.

Attackers redirect users to phishing sites, and malware download locations. They do this through payload URLs which users access by clicking on the malicious PDFs. Other options include simulating system dialogs or alert messages to guide the user.

The researchers explain that there are two main attack methods. The first uses email PDF previews in Gmail. The PDF appears normal because Gmail does not run JavaScript.

The system displays a hazy screen which shows an alert, prompting users to click “Open Secure Document,” this in turn opens a malicious URL in the browser. The researches say that this evades Gmail’s antivirus sandbox as the download is treated as a user-initiated web request.

The second method uses PDF-embedded JavaScript within desktop and browser PDF readers. The script performs automatic malware retrieval when users launch files or respond to system prompts.

The majority of users encounter security warnings when accessing files, but researchers say many of them proceed to click “Allow” believing it to be a necessary step for them to view the file.

AI-powered email security systems use their ability to detect unusual file structures and dangerous URLs and hidden scripts to identify MatrixPDF attacks in attachments.

The systems run simulated attacks in a sandbox environment to detect the “Open Secure Document” prompt and prevent it from entering email inboxes. “AI-powered defenses can detect and block the entire attack process before it reaches your inbox,” Varonis argued.