Malicious PDF — malware analysis report

Static analysis result for SHA-256 23a4f38c65538224…

MALICIOUS

PDF

362.5 KB Created: 2011-06-22 17:10:09 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 0158e1596a713789dc24520f8ec15c44 SHA-1: 56a1214eadc16082df2ec230206b2643a1f0ff91 SHA-256: 23a4f38c65538224880caa2f8ad07b1d4d06251977a16d72341ed8888c986733
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The critical heuristic firing indicates the presence of the C6 Messenger DownloaderActiveX exploit, which is known to target vulnerabilities in PDF readers. The embedded URL points to a potential second-stage executable. The document body is heavily obfuscated and does not provide further clues.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000003c3.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3C3 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.