Malicious PDF — malware analysis report

Static analysis result for SHA-256 9cb3a0bff68a2b25…

MALICIOUS

PDF

58.8 KB Created: 2011-05-17 08:39:29 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: e9e465754c8d04fcaf685ca40f9f017e SHA-1: 7a9bb69a6473ffc9d33251833dfd35d242161741 SHA-256: 9cb3a0bff68a2b25acafc726939f4c3392b590e6ba09de12c004502aadc9de39
64 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains a critical heuristic firing for CVE_2008_2551, indicating it exploits a vulnerability to download a payload. The embedded URL and an additional extracted URL point to potential download locations for malicious content. The presence of the DownloaderActiveX exploit suggests the document's primary purpose is to leverage this vulnerability to fetch and execute further malicious code.

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.parsine.com/fa/pages/?cid=19544
    • http://www.parsine.com/fa/pages/?cid=19602
    • http://artisanballoonz.com/system/system.exe
    • http://www.presstv.ir/Persian.aspx?id=9403
    • http://www.presstv.ir/Persian.aspx?id=9397
    • http://www.irna.ir/View/FullStory/?NewsId=1073346
    • http://www.mehrnews.com/fa/newsdetail.aspx?NewsID=1069499
    • http://www.farsnews.com/newstext.php?nn=8902040170
    • http://www.presstv.ir/Persian.aspx?id=9401
    • http://www.presstv.ir/Persian.aspx?id=9395
    • http://www.presstv.ir/Persian.aspx?id=9387
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off00002bd3.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BD3 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.