Great post from research.zscaler.com

It explains how to analyze a  PDF that contains malicious code.  The following steps are followed during the analysis.

  • Analyze/Extract the different objects from the PDF file.  The file contains javascript code in this case.
  • Use Malzilla to evaluate the javascript code and extract the shellcode that is Unicode encoded.
  • Decode the shellcode to obtain a valid executable binary.
  • Use a debugger ( OllyDbg) to analyze the binary. The analyst extracts the XOred code from the binary.
  • Use a debugger again to analyze the extracted code. It contacts a website to download the second stage and infect the host computer.