PDF container threat

Last year I wrote a blog entry entitled The Fight Against Malicious PDFs Using the ASCII85Decode Filter, which is about a threat that uses the ASCII85Decode filter to hide itself. Since that time, some Adobe Reader vulnerabilities have been found, including a recent zero-day vulnerability. However, attackers like to use not only direct exploitation, but also social engineering. I think this is because patches can fix software vulnerabilities fairly easily, but social engineering requires us (as potential victims) to understand and know what is dangerous, which is never easy.
More recently, I have discovered a social engineering threat that uses a PDF file as a “container” file. This PDF threat contains a 7-Zip file as an attachment and displays a message dialog that tries to convince the user to open the 7-Zip file. It also switches the dialog message by using JavaScript, depending on which version of PDF reader the victim is using. If a user opens the threat with Adobe Reader version 6, he or she will see the following message in Chinese:

Rough translation: "This file contains an attachment. Please choose 'File'->'Attachment' to read the attachment." If this message were clicked through, the user would see this attachment file:

On the other hand, if the threat is opened with Adobe Reader version 7 or higher, the user will (continue reading...)