Malicious PDF

[binary]

Hi All,

I've done some reversing on this PDF and looks like it downloads something from hxxp://boomroot.ru/svy/load.php?a=a&st=InternetExplorer6.0%7CWindowsXP&e=3 / e=1 / e=2. Used pdftk to extract the javascript and malzilla to analyze. My first analysis .

Correct me if am wrong here, there are actually three sects of unicode strings? "\u0039" is this way of representation is a unicode representation? Please can you correct me...

Edit: Added the attachment

Thanks
Binary

[h4h4h4h4]

Yes there are 3 different unicode encoded strings, and they are all slightly different. 

There are 3 exploits in the pdf, each with shellcode to go along with it:

Collab.collectEmailInfo exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=2

util.printf exploit

downloads from
--boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=1


Collab.getIcon exploit

downloads from
--/boomroot.ru/svy/load.php?a=a&st=Internet Explorer 6.0|Windows XP&e=3


Good that u noticed the e=1,e=2,e=3 at the end of each exploit.  Lets them keep track of which exploit downloads more frequently and stat tracking.

[MysteryFCM]

\u is USC2.

PDFTK wouldn't deal with it here, but uncompressed it with FileInsight to find Malzilla would only deal with the first half, not the second .... so;

http://wepawet.cs.ucsb.edu/view.php?hash=ba0378b8e8e61ca6864767b0ce51336b&type=js