Malicious PDF — malware analysis report

Static analysis result for SHA-256 e59c1de25e371f4c…

MALICIOUS

PDF

48.8 KB Created: 2011-04-22 21:15:39 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: 18740825b7444c4a242d321b431ccaa5 SHA-1: 8419c54febfc47fa36719d6cd8cdf0359347f89b SHA-256: e59c1de25e371f4c252fc1b9c12e03f209f4404aa0c17588695101ccf7e617bf
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains a marker indicating the CVE-2008-2551 exploit, which is known to download and execute arbitrary code. The embedded URL points to a CAB file that likely contains the exploit, and another URL is present that likely hosts the secondary payload. The document body is heavily truncated and unreadable, preventing further analysis of its specific lure.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000004f0.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4F0 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.