The binary is super fresh and evades all of the major AV scanners.
The first command and control server that it checks in with is ohmaebahsh.ru. It was down for a little while but is back up. This might just be the downloader.
After checking in the C&C, it GETs http://www.google.com/webhp (checking connectivity?), then connects to eexiziedai.ru which is a 300 second fast flux hostname for the ZeuS C&C. It POSTs to eexiziedai.ru/9xq/_gate.php.
Here is the Wepawet analysis of the malicious PDF it exploited my malware lab image with. It also uses several other attack vectors, including Java and MDAC.
Here is the anubis report on the malware that the PDF installs.
vlaamsbelangturnhout.org/1.html appears to have been removed and looks to have been a jumping off point to borlakas.info.
borlakas.info contains a number malicious scripts that take advantage of various vulnerabilities:
* CVE-2010-1885 - Microsoft Windows Help and Support Center @
* CVE-2006-0003 - MDAC exploits
* CVE-2010-0094 - Java RMIConnectionImpl vulnerability @
* CVE-2010-0886 - Java Deployment Toolkit @
* CVE-2008-5353 - Java deserialization @
* CVE-2009-3867 - Java stack overflow HsbParser.getSoundBank @
* Multiple PDF vulnerabilities exploited (we block as Exploit.JS.Pdfka.cuj)