PDF malware analysis — malicious · 6ca3cc8e01f04f0d

MALICIOUS

PDF

849.0 KB Created: 2011-04-22 21:48:17 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))

MD5: 02a945f3bc42e19f3022e3feb9028d2e SHA-1: 45d2957e440f8051b3b0c7a57cc30a5bac907366 SHA-256: 6ca3cc8e01f04f0d4707cb466e17d0267b8fbef426a06bad495a32b36ab64370

92 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a PDF file flagged by ML classifiers as malicious and contains a known exploit (CVE_2008_2551) for DownloaderActiveX. This exploit likely facilitates the download and execution of a secondary payload from the URL http://artisanballoonz.com/system/system.exe. The embedded URL http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1 is also noted, though its reputation is confirmed benign.

Machine Learning

Nyx PDF Classifier malicious score 0.9531

Heuristics 2

C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551

PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://artisanballoonz.com/system/system.exe
- http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off00000418.bin` `80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x418	73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.