Follow:

 

Trojan:Win32/Pdfphish.A


Trojan:Win32/Pdfphish.A is a PDF file with a malformed hyperlink that links to other malware.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Pdfphish.A is a PDF file with a malformed hyperlink that links to other malware.

Installation

This trojan commonly arrives as a file attached to spam email messages with a forged "from" email address. The following is an example of the PDF file content and malicious link:

Payload

Downloads other malware
When the malicious PDF file is opened and the embedded hyperlink is visited, it will link to malware hosted on a remote server. In the wild, the hyperlink was linked to malware detected as PWS:Win32/Zbot.gen!R and PWS:Win32/Zbot.gen!U.

Analysis by Rodel Finones


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • Receipt of a file named "stratfor.pdf" via email, with a hyperlink that points to a file named "av.zip"

Prevention


Alert level: Severe
First detected by definition: 1.119.1683.0
Latest detected by definition: 1.119.1924.0 and higher
First detected on: Feb 10, 2012
This entry was first published on: Feb 10, 2012
This entry was updated on: Feb 14, 2012

This threat is also detected as:
No known aliases