Malicious PDF — malware analysis report

Static analysis result for SHA-256 50ea339911063a59…

MALICIOUS

PDF

331.9 KB Created: 2011-06-22 18:04:45 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: a6484dc6828168d96751d76a9dd64bdd SHA-1: ef32f512904429f02af63af3d6c2ac43def32f7b SHA-256: 50ea339911063a594fd011c31b23fc04cd19c99f8e52b0f33fee27383884fd49
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The critical heuristic firing indicates the presence of the C6 Messenger DownloaderActiveX exploit (CVE-2008-2551). This exploit is designed to download and execute a payload from a remote URL. The embedded URL http://artisanballoonz.com/system/system.exe is highly suspicious and likely serves as the download location for the malicious payload. The PDF structure itself does not contain readable content, but the exploit and the associated URL strongly suggest a drive-by download attack.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000003cb.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3CB 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.