The binary is super fresh and evades all of the major AV scanners.

VirusTotal results

The first command and control server that it checks in with is It was down for a little while but is back up. This might just be the downloader.

After checking in the C&C, it GETs (checking connectivity?), then connects to which is a 300 second fast flux hostname for the ZeuS C&C. It POSTs to

Here is the Wepawet analysis of the malicious PDF it exploited my malware lab image with. It also uses several other attack vectors, including Java and MDAC.

Here is the anubis report on the malware that the PDF installs. appears to have been removed and looks to have been a jumping off point to contains a number malicious scripts that take advantage of various vulnerabilities:

* CVE-2010-1885 - Microsoft Windows Help and Support Center @

* CVE-2006-0003 - MDAC exploits

* CVE-2010-0094 - Java RMIConnectionImpl vulnerability @

* CVE-2010-0886 - Java Deployment Toolkit @

* CVE-2008-5353 - Java deserialization @

* CVE-2009-3867 - Java stack overflow HsbParser.getSoundBank @

* Multiple PDF vulnerabilities exploited (we block as Exploit.JS.Pdfka.cuj)