Malicious PDF — malware analysis report

Static analysis result for SHA-256 91ef793cf16c2dc5…

MALICIOUS

PDF

146.9 KB Created: 2011-05-26 15:02:35 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 07f3b51a1acbd740e13ab46bcff524c7 SHA-1: bf6ecb90bbedd557903b532c05f66a8d168ddf0d SHA-256: 91ef793cf16c2dc5ba9de8a957101c73946beffaa23fcdd1abc00e776425cb79
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains a marker indicating the CVE-2008-2551 exploit, which is known to download and execute arbitrary code. The embedded URL http://artisanballoonz.com/system/system.exe is highly suspicious and likely serves as the download location for the secondary payload. The document body was unreadable, but the heuristic firing is sufficient to determine the attack vector.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000dc2.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDC2 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.