The real danger with the /Launch escape from PDF proof of concept that Didier Stevens published is no longer a mystery to the malicious malware developers out there, as a recent sample I acquired doesn’t rely on JavaScript and embeds the executable as a PDF comment.  Within this PDF comment is a simple vbscript that encodes the executable as an ANSI character code array which is latter extracted from the PDF file, converted to binary form, written to the user’s computer as “game.exe” and executed.  How I found this was just by pure luck as I stumbled across this blog posting here:  /Launch Malicious PDF.  The blog posting goes into most of the details, so no use reiterating them here.  One thing I would like to point out is that this is very different from the Zeus attempt at utilizing the /Launch action.  Zeus appeared to have utilized the Metasploit PDF module which doesn’t really take full advantage of the /Launch action, so I don’t count that as the first real escape from PDF malicious usage.

UPDATE:  I have published an analysis of this PDF file over on siemblog.com if your interested it taking a look at the inner workings of this attack: “Analysis of the First Real PDF /Launch Attack – No JavaScript Required!“