Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e90b6bee74bfa58…

MALICIOUS

PDF

607.3 KB Created: 2011-05-26 13:40:33 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: b9fa6fa17447ee14b68ad7879bf13e2f SHA-1: e8ef7669c62a50d5aacecf00422287bcc9b0e593 SHA-256: 1e90b6bee74bfa58cb0ae5b85bea047e728dd853ded0cbae87a57f183fbe96bd
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link

The PDF contains a critical heuristic firing for CVE_2008_2551, indicating an exploit for C6 Messenger DownloaderActiveX. The embedded URL 'http://artisanballoonz.com/system/system.exe' is likely the secondary payload downloaded by the exploit. The PDF structure itself does not contain readable content, but the exploit and the download URL are sufficient indicators of malicious intent.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000688.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x688 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.