Malicious PDF — malware analysis report

Static analysis result for SHA-256 12967969eaca9ae0…

MALICIOUS

PDF

238.2 KB Created: 2011-06-22 17:56:32 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 4fe0b96c8901d6c9ec281e59521ad0c9 SHA-1: fb0dad97e08d676bfa03fa991fdb3b3cf7752712 SHA-256: 12967969eaca9ae0cea6b8926ced57a926354e3c00db8f23a545f4f9484ca2c3
92 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF contains a marker indicating an exploit for CVE-2008-2551, which is known to download and execute arbitrary code. The embedded URL points to a potential executable payload, suggesting the file's purpose is to compromise the user's system by downloading and running malware. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9252

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000003e5.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E5 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.