Troj/PDFEx-DF: SophosLabs sees malware exploiting /Launch

Last week, I talked about how to disable some functionality in Adobe Acrobat (see blog).

This morning, we released generic detection for something we call Sus/PDFJs-S. Sophos will generically detect PDF files which use this functionality to run executables.This afternoon, I have just written detection for the first malicious PDF using this technique (Troj/PDFEx-DF).

When you open a file with Troj/PDFEx-DF you will be presented with the following:

If you were to ignore the obvious spelling mistake Troj/PDFEx-DF would drop and execute:


Which will be detected as Troj/Agent-MYJ.