Just when I thought we weren’t going to see any spam campaigns related to the recent announcement of United States President Barack Obama being awarded the Nobel Peace Prize, I was proven wrong. Spammers rarely disappoint when a juicy news story hits. It’s like attracting flies to honey.

This spam campaign calls into question whether Obama deserved to win the prize and that the country is suffering significant fallout as a result. The email then requests that users click or copy/paste a link into their browsers that will direct them to a website where they can download more information.

If users click on the link, they are brought to a site where they see an image of Obama followed by a notification that their download will start shortly. Remember users believe that they are going to be downloading a report on the unrest created by Obama’s acceptance of the award.

Five seconds after the page loads, users are prompted to download the file Obama_NobelPrize.exe. That is not the end of the story, however. Because users might not want to download an executable file, there is an extra bit of fun embedded within this page. Located at the bottom of the page is a little snippet of encoded JavaScript that looks like this:

Decoding this JavaScript reveals that this page also attempts to silently load an iframe hosted on the tokyopharmm.com domain. The iframe attempts to load a series of PDF exploits to inject a password-stealing Trojan onto the user’s PC. We currently identifiy this Trojan as Generic PWS.y!hv.i.

This is another example in which current news stories are used to lure users into downloading malware. It’s a popular tactic that is repeated over and over, but it continues to work due to its obvious successes. Even if you think you are going to outwit the malware authors by visiting their website but not download files, the page could be executing JavaScript in the background. Those scripts open other pages/sites via invisible iframes and test your machine for zero-day vulnerabilities and exploit them.