Last week, I talked about how to disable some functionality in Adobe Acrobat (see blog).
This morning, we released generic detection for something we call Sus/PDFJs-S. Sophos will generically detect PDF files which use this functionality to run executables.This afternoon, I have just written detection for the first malicious PDF using this technique (Troj/PDFEx-DF).
When you open a file with Troj/PDFEx-DF you will be presented with the following:
If you were to ignore the obvious spelling mistake Troj/PDFEx-DF would drop and execute:
Which will be detected as Troj/Agent-MYJ.