[dlimanov]

Got the attached PDF as a phish. All online sandboxes report it as benign. Checked streams and objects with PDF parser and PEEPDF and noticed a flat decode filter in Object 1. After decoding that object, file grows to 90Mb with two IMAGE sections and couple of interesting JavaScript sections. Network guys are saying that target machine that executed the phish PDF immediately tried to download a payload from hxxp://stat-bdm.com/res/123.exe (now dead), which got blocked.
I am having hard time making sense of the deobfuscated JavaScript from Object 1 (there appears to be nothing interesting anywhere else), and don't see any reference to the URL above. I tried running the PDF locally with CaptureBat and few other real-time analysis tools, but again there was no sign of any downloader activity.
Does anyone have any ideas how to decipher the JavaScript below?
Thanks in advance!

[sysopfb]

The one I deobfuscated was two parts. So you have that huge image file which is part of the CVE (CVE-2013-2729 if I remember right) and then I had two separate javascript sections using two XFA nodes. The XFA nodes hold the data that the js works on so you have to manipulate the js a bit if you want to get the shellcode out of it. Ultimately all I got was some shellcode that called for the download of the payload, the only thing interesting about it was that the shellcode was flagged by our yara rules as Cridex shellcode. If you want I can post my notes on it when I get to the lab in the morning.

[dlimanov]

Thanks sysop, what would be lovely!

[sysopfb]

Here's a zip of all my notes and the pdf I worked with. The full shellcode is in there as well if you turn it into an exe and strings it you'll see the url of the follow on download which if I remember correctly was Dyre at the time.
Password is the usual

[dlimanov]

Much appreciated, sysopfb, just what I needed!