When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:
What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).
Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.
Hmm. The Agenda looks awfully familiar.
We detect the files as Exploit.PDF-JS.Gen and Trojan-Spy:W32/Agent.NBZ.