Malicious PDF — malware analysis report

Static analysis result for SHA-256 951eee99482704a0…

MALICIOUS

PDF

338.4 KB Created: 2011-06-22 16:40:24 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: a7c53312791fd46e97b06bc06977177f SHA-1: 5ef6996ba1cc38e00a9f9682672c38b7218af353 SHA-256: 951eee99482704a0b9ac0182aa56535a9c79aa66cb7969c2a62566aaab6302a2
60 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a PDF document that contains a marker for the CVE-2008-2551 exploit, which is known to download and execute arbitrary code. The embedded URL http://artisanballoonz.com/system/system.exe is highly suspicious and likely serves as the download location for the secondary payload. The benign reputation of the other URL suggests it is not part of the malicious chain.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000004a4.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A4 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.