Malicious PDF — malware analysis report

Static analysis result for SHA-256 c431a7207164d7b9…

MALICIOUS

PDF

54.7 KB Created: 2011-05-26 13:26:07 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: bc4630efc8cacdff56cb9cbd7fb9d764 SHA-1: 3ac4799e40855a6fb07ad4de66220708b4622c6f SHA-256: c431a7207164d7b963c80d9c619fbab1817dcaa93e422716b4a273d33f10dc12
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1204.001 User Execution: Malicious Link T1059.001 PowerShell

The PDF file contains a critical heuristic indicating the CVE-2008-2551 exploit, which is known to download and execute secondary payloads. The embedded URL 'http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1' likely points to the exploit component, and 'http://artisanballoonz.com/system/system.exe' is a suspicious URL that could host the secondary payload. The document body contains numerous benign URLs, but the presence of the exploit overrides their benign reputation in the context of the overall attack.

Heuristics 3

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=227087
    • http://www.farsnews.com/newstext.php?nn=8903021701
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=227089
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=227098
    • http://www.presstv.ir/Persian.aspx?id=10147
    • http://www.iribnews.ir/Default.aspx?Page=MainContent&news_num=227078
    • http://www.presstv.ir/Persian.aspx?id=10143
    • http://www.presstv.ir/Persian.aspx?id=10149
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00001c2a.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C2A 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.