C6 Messenger Downloader — PDF malware analysis

Static analysis result for SHA-256 12c4224740c7246b…

MALICIOUS

PDF

53.6 KB Created: 2011-04-22 21:39:32 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: e3726104dd5ee85f667396a431c04d39 SHA-1: 430047b91412cfa6a040ed56a2422a7e309e15a2 SHA-256: 12c4224740c7246bd2ad6ace035d20b3074a411a920a387bb666e9720ae0143f
64 Risk Score

Malware Insights

C6 Messenger Downloader · confidence 85%

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a PDF document that contains a marker for the CVE-2008-2551 exploit, which is known to download and execute payloads. The document also contains an embedded URI pointing to an external website, which is likely the source of the payload. The exploit targets client execution, and the embedded URI suggests a potential drive-by download mechanism.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.4916

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.presstv.ir/Persian.aspx?id=10358
    • http://www.irna.ir/View/FullStory/?NewsId=1151206
    • http://www.presstv.ir/Persian.aspx?id=10353
    • http://www.irna.ir/View/FullStory/?NewsId=1149715
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=228558
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=228516
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=228526
    • http://www.presstv.ir/Persian.aspx?id=10358������
    • http://www.presstv.ir/Persian.aspx?id=10353������
    • http://www.irna.ir/View/FullStory/?NewsId=1149715������
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=228558���������������
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=228516���������������������
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000017d8.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17D8 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.