Still, they should've gotten warning prompts for running an untrusted exe when they opened it, wouldn't they? I mean I know people are pretty well conditioned to ignore those, especially gamer geeks who are used to using dubious tools.
I believe the name the program reports for those prompt can be different than the actual filename, allowing an attacker to use the name of adobe reader or some other popular PDF reader instead. If the malicious script launches the actual PDF reader with a legitimate-looking PDF after executing its payload it could be hard to detect
