The malware, which was spotted by U.K.-based Sophos and Finnish antivirus vendor F-Secure, uses a technique long practiced by Windows attackers.
"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," said today.
That practice relies on what is called the "double extension" trick: adding the characters ".pdf" to the filename to disguise an executable file.
The Mac malware uses a two-step process, composed of a Trojan "dropper" utility that downloads a second element, a Trojan "backdoor" that then connects to a remote server controlled by the attacker, using that communications channel to send information gleaned from the infected Mac and receiving additional instructions from the hacker.
Because it doesn't exploit a vulnerability in Mac OS X -- or any other software -- the malware instead must dupe users into downloading and opening the seemingly-innocuous PDF document, which is actually an executable.