So I convert the hex to...

/Filter [ /ASCIIHexDecode /LZWDecode /ASCII85Decode /RunLengthDecode /FlateDecode ]

So looking at this, I assume your pdf-parser.py did it for me since in my example it is already decoded in the lines below.

Also, I assume the filter string is telling the application how to decode the blob of code that is associated with the same object within the PDF? I have been able to take the java script blob and decode it. I can see the exploit it is using, etc. I can not see what the phone home address is. My goal is to find the address the malware talks back to.

This stream is compressed with 5 filters: /ASCIIHexDecode /LZWDecode /ASCII85Decode /RunLengthDecode /FlateDecode
The /Names are obfuscated with hex code, like this: /#46#69#6cter -> /Filter

/Length 2901
/#46#69#6cter [ /AS#43I#49#48#65#78D#65co#64#65 /#4c#5aW#44eco#64e /AS#43I#4985#44e#63o#64#65 /R#75#6eL#65#6e#67#74h#44ecode /#46#6c#61#74#65D#65co#64#65 ]

/Length 2901

/Filter [
/ASCIIHexDecode /LZWDecode
/ASCII85Decode /RunLengthDecode
/FlateDecode ]

obj 4 0
Type:
Referencing:
Contains stream

<>

Immediately following is the inflated java script which I was able to deflate. However the above I have had no luck with. Also, I am not able to find a IP/Name that the malware could be calling home to. I am hoping it is in the string I have attached.

Thank you for any advice during this learning exercise for me.

Thank you!!!

Simon (from aero mexico)

a way to embed hidden data in a PDF file wouldn’t be to add a new key/value pair in the Dictionary object of the pdf file?
The key will be something known that will be used to recover the data that will be stored in the value.
This thought came from a post found here: http://forums.adobe.com/message/2157533

Thnx in advance,

Tony