I too came across a similar malware, but I am stuck at one point in the wepawet analysis.
In the segment “var Kkbfhqas=” what is the decoded output of the variable. I had read some place that this is the ‘shellcode’, but I am not able to figure that out myself . Any inputs on this or how I can better understand this segment ?

Thanks

litecarfinestsite.cn
liteautomobileinsurance.cn
bigfirststopnonfat.cn
liteupyourride.cn

They dropped swf/pdf files, ran ActiveX PDF attacks, and dropped a windows pe at the end…Anubis found it added digiwet.dll to the system…I believe I saw this same file in the Gumblar analysis.

Thanks for the interesting analysis