Malicious PDF — malware analysis report

Static analysis result for SHA-256 86246ebdaf65ed5e…

MALICIOUS

PDF

57.4 KB Created: 2011-04-22 21:36:40 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 76f79a70c2a51ffcc6b7fa5323338efc SHA-1: 01e67ae419a6353576d6e4b632188cd3b0ab84a5 SHA-256: 86246ebdaf65ed5ea6c9671fd7078cebd126bab624db10b02459c3f1c4c2cfb8
62 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The PDF file contains a critical heuristic firing for CVE-2008-2551, indicating an exploit for C6 Messenger DownloaderActiveX. This exploit is likely used to download and execute a second-stage payload. While several URLs are present, they are all marked as confirmed benign and do not appear to be directly involved in the malicious payload delivery. No scripts were extracted from this sample.

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.farsnews.com/newstext.php?nn=8903231748
    • http://www.presstv.ir/detail.fa.aspx?id=130281&sectionid=351021501
    • http://www.presstv.ir/detail.fa.aspx?id=130195&sectionid=351021504
    • http://www.presstv.ir/detail.fa.aspx?id=130218&sectionid=351021504
    • http://www.presstv.ir/detail.fa.aspx?id=130215&sectionid=351021504
    • http://www.irna.ir/View/FullStory/?NewsId=1175587
    • http://www.farsnews.com/newstext.php?nn=8903240058
    • http://www.farsnews.com/newstext.php?nn=8903231714
    • http://www.irna.ir/View/FullStory/?NewsId=1175455
    • http://www.farsnews.com/newstext.php?nn=8903221309
    • http://www.irna.ir/View/FullStory/?NewsId=1175575
    • http://www.presstv.ir/detail.fa.aspx?id=130304&sectionid=351021507
    • http://www.presstv.ir/detail.fa.aspx?id=130255&sectionid=351021507
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000026d0.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x26D0 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.