Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a785a59e435052d…

MALICIOUS

PDF

856.1 KB Created: 2011-05-26 15:14:35 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 648b8ba68d36e37746c52923ad61c69b SHA-1: b7a6ad8f8bdd471010831f7d097a2520183158f8 SHA-256: 4a785a59e435052dca309f1214cabf0fc2b445545214111d79740eefa2b183f1
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains an embedded JavaScript stream and triggers an exploit for CVE-2008-2551, which is known to download and execute arbitrary files. The heuristic firings indicate the use of JavaScript and a specific ActiveX exploit. The embedded URL 'http://artisanballoonz.com/system/system.exe' is highly suspicious and likely serves as the download location for the secondary payload. The PDF's structure also includes an optional content group with an action trigger, further supporting the exploit delivery mechanism.

Heuristics 4

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000401.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x401 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.