PDF malware analysis — malicious · 56873efef2731db9

MALICIOUS

PDF

334.8 KB Created: 2011-05-28 19:44:47 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))

MD5: ffcac71ecacf9258deef8eaf4c2f4c71 SHA-1: 5746f68e4338c5ebe49761097ab1d76465329a4e SHA-256: 56873efef2731db9992e3572e77d5cfe2733d0f710d5622e48b805a8589729e2

60 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The sample is a PDF document that contains a critical heuristic firing for CVE_2008_2551, indicating an exploit for the C6 Messenger DownloaderActiveX. This exploit likely facilitates the download of a secondary payload. An embedded URL, http://artisanballoonz.com/system/system.exe, is present and marked as unknown reputation, suggesting it is the likely source of the malicious payload. The document body is heavily obfuscated and unreadable, providing no further context on the lure.

Heuristics 2

C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551

PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://artisanballoonz.com/system/system.exe
- http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off00000420.bin` `80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x420	73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.