Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc17f2a257a1a6bc…

MALICIOUS

PDF

119.0 KB Created: 2011-04-22 21:30:19 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: c80affcb8759ad6e0d18c709a686da42 SHA-1: aab31f39c02e957ca0daaeaff43d70ffa748b420 SHA-256: bc17f2a257a1a6bc7520eca9986508f32ffac2ddd9328e31aa40ef9178126f8e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF contains a critical heuristic firing for CVE-2008-2551, indicating an exploit for the C6 Messenger DownloaderActiveX. This exploit is designed to download and execute a payload from a remote URL. The embedded URL http://artisanballoonz.com/system/system.exe is flagged as unknown reputation and is the likely source of the malicious payload. The document body was unreadable, but the exploit and URL are sufficient indicators of malicious intent.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000429.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x429 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.