Adobe pulled a fast one a couple days ago when they pushed out their most recent patch. In doing so they addressed CVE-2011-2462, but also mentioned another vulnerability that exploited the PRC format (also related to U3D). This additional vulnerability was not one I had come across until a few days ago and below is my initial analysis of the PDF structure, and barebones dynamic analysis.
The first file dropped on to the system is “AcroRd32Info.cab” which is then expanded using “C:WINDOWSsystem32expand.exe” that writes “acrord32info.exe”. VirusTotal identifies this file as a generic dropper, but does not provide any malware family.
After writing to “C:WINDOWSsystem32wbemLogswbemprox.log” another file is written to “C:WINDOWSmsappsnetmgr.exe”. VirusTotal identifies this file as an injector, but again, does not provide any malware family. Before the main process is terminated a registry value is set so that “netmgr.exe” runs when the system starts.
Running “netmgr.exe” manually creates a process and executes svchost.exe which waits for a few seconds and then terminates. Within the “netmgr.exe” are references to “http://220.127.116.11/bunny/test.php?rec=nvista”, but it is unclear what role, if any, this site plays. Part two will include more analysis on the binary files dropped by the PDF.