We received a malicious PDF file in August 2009, on analysis, we found that the malicious PDF file is different from recently analysed PDF exploits. This Adobe Flash zero-day exploit appears to be exploited in the wild. This exploit affects Adobe Reader 9.1.2 and earlier 9.x versions and Adobe Flash Player 18.104.22.168 and 10.0.22.87 and earlier 9.x and 10.x versions.
In this PDF file, there are two flash files embedded in it. One of them, fancyball.swf, doesn’t seem to do anything malicious, the other flash file save.swf (or oneoff.swf) uses action script to do heap spraying.
The shellcode downloads and executes 2 executable files named SUCHOST.exe and temp.exe. Both of the executable files are embedded inside the PDF file itself.
Download Browser Defender for free to protect yourself against these sorts of threats.