Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2a8d93e21674a2a…

MALICIOUS

PDF

49.4 KB Created: 2011-04-27 03:13:16 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: e52c7f2402f8ac663863eb299d40ce99 SHA-1: 322e9e86e519154d48474ad1589137b332822271 SHA-256: d2a8d93e21674a2a74b2080a223fb32d4a14592adee051746e58ab465133d804
62 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link/Script: User Execution: Malicious Link T1204.002 Malicious Link/Script: User Execution: Malicious Script

The PDF contains a critical heuristic firing for the CVE_2008_2551 exploit, which is known to download and execute payloads. An embedded URL points to a suspicious executable file, 'system.exe', on the 'artisanballoonz.com' domain. This suggests the document is designed to lure the user into triggering the exploit, leading to the download and execution of malware.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000734.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x734 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.