C6 Messenger Downloader — PDF malware analysis

Static analysis result for SHA-256 71401103feecb4e3…

MALICIOUS

PDF

57.6 KB Created: 2011-04-27 03:03:33 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: c8e3a6b6dbc1eee46fe47fb0652d235e SHA-1: 546e45cf3a2deb0b54d33697e1afa520d3b70813 SHA-256: 71401103feecb4e363a257912c70ad021609f812404a678a11c66fe0a155dcd8
64 Risk Score

Malware Insights

C6 Messenger Downloader · confidence 95%

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF document that exploits the CVE-2008-2551 vulnerability, identified by the 'C6 Messenger DownloaderActiveX exploit' heuristic. This exploit is designed to download and execute a second-stage payload. While many URLs are present, they are all marked as benign and appear to be part of the document's lure content rather than direct download sources for the payload. The primary malicious action is the exploitation of the PDF vulnerability.

Machine Learning

  • Nyx PDF Classifier clean score 0.2459

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.farsnews.com/newstext.php?nn=8903050230
    • http://www.farsnews.com/newstext.php?nn=8903041749
    • http://www.farsnews.com/newstext.php?nn=8903050058
    • http://www.presstv.ir/Persian.aspx?id=10193
    • http://www.mehrnews.com/fa/newsdetail.aspx?NewsID=1089607
    • http://www.presstv.ir/Persian.aspx?id=10194
    • http://beta.iribnews.ir/VMK/Body.aspx?id=672667
    • http://beta.iribnews.ir/VMK/Body.aspx?id=672670
    • http://www.farsnews.com/newstext.php?nn=8903050230������
    • http://www.farsnews.com/newstext.php?nn=8903041749������
    • http://www.farsnews.com/newstext.php?nn=8903050058������
    • http://www.presstv.ir/Persian.aspx?id=10193������
    • http://www.mehrnews.com/fa/newsdetail.aspx?NewsID=1089607���������������������������������
    • http://www.presstv.ir/Persian.aspx?id=10194������������������
    • http://beta.iribnews.ir/VMK/Body.aspx?id=672667������������������
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off00002727.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2727 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.