We saw a pretty PDF file today (md5: 116d92f036f68d325068f3c7bbf1d535).
It looks like this:
Nice flowers.
Unfortunately, when viewing the file, it uses an exploit against Adobe Reader and drops and runs a file called 1.exe.
This executable is a Poison Ivy backdoor. It calls home to a host called cecon.flower-show.org. Whoever controls the computer at that address gains remote access to the target computer. The PDF was used in a targeted espionage attack against an unknown target.
We've seen the domain flower-show.org before, already in 2009. Then another PDF called home to posere.flower-show.org.
Today, both of those host names resolve to 202.150.213.12, which is not in China. It's in Singapore.