ForEx Stat Arb Malware disguised as PDF steals user data


Statistical arbitrage (abbreviated as Stat Arb or StatArb) as opposed to (deterministic) arbitrage, is associated with the statistical mispricing of one or more assets based on the expected value of these assets. (So now you know…).

The attachment in the high-priority email below claims to be a plan for foreign exchange stat arb.

Once extracted – the attachment file named “” reveals an executable file which pretends to be a PDF file (since it presents a PDF icon).  Disguising a file as a PDF is a common trick of malware nowadays – users should be wary and should look at the complete file extension.

When the file is executed, it will show a non-malicious PDF file in a fake PDF reader window.  The PDF file itself is downloaded from “http://www.people.[REMOVED].edu/~schernen/papers/convertibles.pdf”.

The malware then does the following:

  • Captures all keystrokes and activities as users browse the internet
  • Saves the stolen information in the file “%My Documents%Microsoft Updatesupdates2.txt”
  • Sends the keylogger file via e-mail to “wade[REMOVED]”.
  • Creates a copy of itself as “%My Documents%Microsoft UpdatesMicrosoft-updates.exe”
  • Creates this autorun Registry for automatic execution at startup “HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun, “Microsoft Updates” = “%My Documents%Microsoft UpdatesMicrosoft-updates.exe”.

Command Antivirus detects this malware as W32/Trojan3.CPW.

On the subject of PDF malware we should point out that Adobe has released security updates for Adobe reader and Acrobat that address 13 vulnerabilities.  See info here.


Go back