The dissected PDF has the following MD5: 35e8eeee2b94cbe87e3d3f843ec857f6 but it seem that also
61baabd6fc12e01ff73ceacc07c84f9a use the same shell code
the following screenshot shown some clear string within the shellcode:
may be a check for Kasperksky tools at runtime and check for Kingoft security tools. And the evidence for the user agent AdobeUpdate (as well documentend in the F-secure post about subject) used for HTTP request.
For obtain,quickly, a PE binary from shell code it's been used:
The check above during runtime:
The XML code that define an embedded RAR file discovered inside 35e8eeee2b94cbe87e3d3f843ec857f6:
The Anubis analysis of the RAR (in the form of exe RAR compressed archive) extracted from the pdf above:
The RAR contents:
The RAR compressed exe file it's runned by shell code under certain conditions.