This PDF uses a feature, specified in the PDF format, known as a Launch action. A Launch action is intended to be used to run an application or opening or printing a document. Recently it has been discovered by a security researcher that this feature can be used to run an executable embedded within the PDF file.
This PDF also contains an attachment (PDFs can have an attachment embedded within them, just like emails) named Royal_Mail_Delivery_Notice.pdf which has been compressed inside the PDF file. This attachment is actually an executable file and if run, will install the Zeus bot.
This could be somewhat confusing to users, and not really knowing what is happening, they may just click save (It appears as if they are just saving a PDF file after all). Users of Foxit PDF reader will get no warning and the attachment will be saved to the users Documents folder.
It's no surprise to see that malware authors are closely monitoring the latest white hat security research community for new tricks to execute attacks. In this case, the user is required to click a few times before the malware is installed but, as M86 Security Labs notes, the average computer user is not technologically savvy enough to spot the signs of malicious activity.
Adobe is considering a patch to change the behavior of the software. In the meantime, the company is suggesting that users configure its PDF Reader product to limit the damage from an attack.
Here are the instructions for mitigating a potential attack:
Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”