C6 Messenger Downloader — PDF malware analysis

Static analysis result for SHA-256 2fc53584e257ea0b…

MALICIOUS

PDF

57.0 KB Created: 2011-04-22 21:23:07 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 60788f1c46504788b7c5cf3a4c906d28 SHA-1: 1de1981da296e09b0daa31398b8e4b3508cd67c0 SHA-256: 2fc53584e257ea0b937f0a93530f509b339223dd5545d8ba545042ccaca42f0d
62 Risk Score

Malware Insights

C6 Messenger Downloader · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File

The sample is a PDF document that exploits the CVE-2008-2551 vulnerability, identified by the 'C6 Messenger DownloaderActiveX exploit' heuristic. This exploit is designed to download and execute a secondary payload. While several URLs are present, they are all marked as confirmed benign and are likely decoys or part of the exploit's lure. The primary IOC is the exploit itself, which points to the C6 Messenger Downloader family.

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.irna.ir/View/FullStory/?NewsId=1201393
    • http://www.irna.ir/View/FullStory/?NewsId=1201495
    • http://www.irna.ir/View/FullStory/?NewsId=1201438
    • http://www.farsnews.com/newstext.php?nn=8904061155
    • http://www.presstv.ir/detail.fa.aspx?id=132487&sectionid=351021501
    • http://www.presstv.ir/detail.fa.aspx?id=132417&sectionid=351021505
    • http://www.presstv.ir/detail.fa.aspx?id=132418&sectionid=351021501
    • http://www.presstv.ir/detail.fa.aspx?id=132388&sectionid=351021508
    • http://www.presstv.ir/detail.fa.aspx?id=132478&sectionid=351021504
    • http://www.presstv.ir/detail.fa.aspx?id=132427&sectionid=351021507
    • http://www.presstv.ir/detail.fa.aspx?id=132444&sectionid=351021507
    • http://www.irna.ir/View/FullStory/?NewsId=1201600
    • http://www.irna.ir/View/FullStory/?NewsId=1201590
    • http://www.farsnews.com/newstext.php?nn=8904071534
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00002518.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2518 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.