Analysis of malicious PDF files
The downloaded file contains the script and a malicious PDF sample with a shellcode that tries to download and execute some malicious code from an URL. The domain doesn’t resolve anymore so there’s no problem with that. If you execute it with the sample file you should see the following output:
This output has five sections where you can find trigger events (/OpenAction and /AA), suspicious actions (/JS, /Launch, /SubmitForm and /ImportData), vulnerable elements, escaped bytes and URLs, which can be useful to get an idea of the file risk.
It will probably have several bugs or maybe you want to comment on it, so, please, let me know! 😉
Jose Miguel Esparza