C6 Messenger Downloader — PDF malware analysis

Static analysis result for SHA-256 cc2761ea0f76f45d…

MALICIOUS

PDF

54.2 KB Created: 2011-05-17 08:54:01 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: ed1c627495bdcaeb5423ae78e451d516 SHA-1: 14a8ed5ab81402ce7bf793acd6e89b9515f6a876 SHA-256: cc2761ea0f76f45d1e7a99cac0798bd54fcf692cbe4c189c3f9df8d440084abb
62 Risk Score

Malware Insights

C6 Messenger Downloader · confidence 95%

The critical heuristic firing for CVE_2008_2551 indicates the file exploits a known vulnerability to download a secondary payload. The embedded URL http://artisanballoonz.com/system/system.exe is likely the source of this payload. The file type is PDF, and the authoring application suggests it was generated by Joomla! via TCPDF, which can be used to embed exploits.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00001a5e.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A5E 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.