Flash exploits targeting the old integer overflow vulnerability (CVE-2007-071) in Flash Player are still relatively active and multiplying on the base of the early versions exploit code, with more or less slight differences. One such variation was rendered tremendously more stealth and reliable, thanks to the use of a Flash run-time packer spawning a multiplexer component. It is caught as SWF/Dloader!exploit by Fortinet, yet, detection of this peculiar variant across the spectrum of antivirus products is still extremely scarce. Let's lift the lid on that variant by examining a sample here, named F1.swf.
As usual, all the dirty tricks here are done through ActionScript. ActionScript is compiled and stored in the flash file as bytecode. For analysis, it is therefore convenient to decompile the bytecode using casual tools, such as swfscan. Unfortunately, the latter having failed to decompile F1.swf for me, I had to summon swfdump, which can disassemble the bytecode into "something" easier to read. The analysis below is based on that dis-assembly.
Following below is the staticconstructor of class BinaryData, which contains an encoded payload:
sealed protectedNS([protected]BinaryData) class
staticconstructor * =()(0 params, 0 optional)
[stack:10349 locals:1 scope:3-4 flags:]
00000) + 0:0 getlocal_0
00001) + 1:0 pushscope
00002) + 0:1 debug [register 00=xorkey]
00003) + 0:1 findproperty
00004) + 1:1 pushstring "PrivateKey01232dfdFSdf"