Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database.

The spammed email contains an attached PDF file named "stratfor.pdf". Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional "Win32Azee virus":

 

The link displayed in the emails appears legitimate at first glance, but looking closely at the target address, you notice that it doesn't originate from the address in the email text. Stratfor is based in Texas, United States however the download URL is located somewhere in Turkey. A sample of another PDF file contained a download link for yet another compromised site, this time in Poland.

Clicking on the link, Adobe Reader will display a warning message asking you to verify if you trust the website. The file for download is actually a Win32/Zbot variant, which Microsoft already detects as PWS:Win32/Zbot.gen!R. The malicious PDF file is detected as Trojan:Win32/Pdfphish.A.

SHA1:
38421197bc27f9ae76c01595424b41d720adea05 (detected as Trojan:Win32/Pdfphish.A)
818ef49e658aa78df4a0d9b424fafcd37bcb288c (detected as PWS:Win32/Zbot.gen!R)

- Rodel Finones, MMPC