Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f9f83dfde23e67a…

MALICIOUS

PDF

212.7 KB Created: 2011-06-22 16:56:00 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: b803388aba170a511a30f31f477f5349 SHA-1: 1a614b186bb8b64de64b1a2bbdc2fa962064beea SHA-256: 7f9f83dfde23e67a644f9e8d8ede5525274fb947ff4788fe570a58bb01d4de7e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a marker for the CVE-2008-2551 DownloaderActiveX exploit, indicating it's designed to download and execute a payload. The embedded URL http://artisanballoonz.com/system/system.exe is likely the location of this payload. While one embedded URL was benign, the presence of the exploit marker and the unknown reputation of the second URL strongly suggest malicious intent.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000003e7.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E7 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.