On December 7th, Brandon provided his analysis of a malicious PDF (MD5: 517fe6ba9417e6c8b4d0a0b3b9c4c9a9) which utilized an Adobe Reader 0day (leveraging a U3D vulnerability). After successful exploitation the PDF drops a windows executable (MD5: E769A920B12D019679C43A9A4C0D7E2C). The file named pretty.exe, then drops DLL_101 (MD5: BA7793845FE2A02187263A96E8DAAEC6) which is stored as a resource in pretty.exe.
Symantec posted a blog that well describes the threat. In this post we provide additional detail specific to the executables delivered from the initial PDF.
The attacking PDF extracts and executes an initial dropper as ctfmon.exe and then renames it to pretty.exe. The purpose of this executable is extract another executable (stored as a resource) and inject it into other processes.
As you can see, the language set appears to be Chinese.
The decompiled source code (thanks to IDA and HexRays) is available here:
No guarantess on the accuracy of the analysis – it was done quickly and in “spare” time.