We have seen some old exploit being added, removed, then added again. This was the MS06-067 DirectAnimation.PathControl.KeyFrame() vulnerability. More on this one later.
The function which exploits Adobe vulnerability (CVE-2007-5659) will try to load ActiveX controls in the following order:
If successful then it'll identify the version in use and will continue only if it's below 8.1.2, which makes sense since Adobe realeased an unpdate with this version that fixed the issue. Then, the version is inserted into an already embedded URL string to download the actual PDF file.
If the overflow works, then the shellcode will GET a URL which is the same as the one before except for one changed byte (from 01 -> 02), perhaps to track which stage is requested. That file is an Executable which will be saved in the user's Temp directory as "sxoC.exe".
For those who rely on HIDS/HIPS, AV, nIDS/nIPS chances are nothing will be seen, unless the dropped binary gets picked up by AV (right!).