"Today, we identified that a PDF zero-day [vulnerability] is being exploited in the wild, and we observed successful exploitation on the latest Adobe PDF Reader 9.5.3, 10.1.5, and 11.0.1," the FireEye researchers said late Tuesday in a blog post.
The exploit drops and loads two DLL files on the system. One file displays a bogus error message and opens a PDF document that's used as a decoy, the FireEye researchers said.
Remote code execution exploits regularly cause the targeted programs to crash. In this context, the fake error message and second document are most likely used to trick users into believing that the crash was the result of a simple malfunction and the program recovered successfully.
Meanwhile, the second DLL installs a malicious component that calls back to a remote domain, the FireEye researchers said.