Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3d67162ae168701…

MALICIOUS

PDF

284.2 KB Created: 2011-04-16 14:07:11 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: c204df054ac66f4f4f9bbf899279b117 SHA-1: 5ef14b361b39f939c496d09b5180e0f78f98535a SHA-256: b3d67162ae16870184b018b8d3f6d705e412846ead33ab82f614cb15c2ba0ff0
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The sample is a PDF file that contains a heuristic firing for CVE_2008_2551, indicating it exploits a vulnerability to download a secondary payload. The embedded URL http://artisanballoonz.com/system/system.exe is highly suspicious and likely serves as the download location for this payload. The PDF's document body was truncated and unreadable, but the exploit and the suspicious URL strongly suggest a malicious download attempt.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off0000054a.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x54A 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.