A new exploit pack is being used in the wild. This one was linked to malvertisements that were appearing on popular sites. Here’s one of them:
Here’s the infection chain:
Let’s have a closer look at that second file. At the bottom, we see a 1px-by-1px iframe being created:
After you get redirected, you’ll end up on this webpage. This checks out your available plug-ins.
After you deobfuscate this, you’ll end up with this:
You can see that it deploys the typical cocktail of Java and PDF exploits. If anyone knows the name of this new pack, please let me know.