This is the 4th challenge from FireEye's "FLARE On" challenge (http://flare-on.com/)
In this challenge, the zip file contains a PDF.
Doing some basic "find & replace all" in Notepad++ leads to a slightly nicer-looking file:
Hmm, but what does it do?
Hmm... I plugged the following (Japanese?) text into Google Translate, but the translation was only partially successful and missed more words than it got.
After looking through the rest of the PDF file and finding nothing, I realized this must be the exploit code and there might be shellcode somewhere here too.
I took the initial string that gets fed into the unescape() call and put it into the sandsprite.com's Shellcode 2 EXE tool:
This led to an executable!
Running this in Ollydbg led to what was clearly a malicious payload filled with a few XOR loops.
After using breakpoints to skip through the XOR functionality, you can see strings being pushed onto the stack (similar to previous levels).
The strings copied?
"OWNED!!!" and "email@example.com"