Malicious PDF — malware analysis report

Static analysis result for SHA-256 486ef78e6770ba16…

MALICIOUS

PDF

56.7 KB Created: 2011-04-27 03:39:22 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 44205b547b6a1f4219bef6b9d6eb7476 SHA-1: 50b07c360b88e239bf3c3df1cc58a6c4e59fb64c SHA-256: 486ef78e6770ba168ce88557cdf81cb06b9dc0444dea35f8bee26f0206faafb3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is a PDF document that exploits the CVE-2008-2551 vulnerability, indicated by the 'C6 Messenger DownloaderActiveX exploit' heuristic firing. This exploit likely facilitates the download of a second-stage payload from one of the embedded URLs. While many URLs were extracted, their reputation labels are confirmed benign, suggesting they may be decoys or that the malicious payload URL was not identified. No scripts were extracted from this sample.

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.irna.ir/View/FullStory/?NewsId=1225289
    • http://www.farsnews.com/newstext.php?nn=8904230102
    • http://www.presstv.ir/detail.fa.aspx?id=134657&sectionid=351021501
    • http://www.farsnews.com/newstext.php?nn=8904230001
    • http://www.farsnews.com/newstext.php?nn=8904230024
    • http://www.presstv.ir/detail.fa.aspx?id=134617&sectionid=351021504
    • http://www.presstv.ir/detail.fa.aspx?id=134625&sectionid=351021509
    • http://www.presstv.ir/detail.fa.aspx?id=134663&sectionid=351021507
    • http://www.presstv.ir/detail.fa.aspx?id=134626&sectionid=351021507
    • http://www.presstv.ir/detail.fa.aspx?id=134605&sectionid=351021506
    • http://www.presstv.ir/detail.fa.aspx?id=134667&sectionid=351021507
    • http://www.presstv.ir/detail.fa.aspx?id=134612&sectionid=351021503
    • http://www.presstv.ir/detail.fa.aspx?id=134582&sectionid=351021507
    • http://www.farsnews.com/newstext.php?nn=8904220149
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000023f5.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x23F5 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.