Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3eab3226a066d4d…

MALICIOUS

PDF

52.2 KB Created: 2011-06-22 17:42:24 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 3.0.015 (http://www.tcpdf.org))
MD5: fcc47a922816445b343800b46085bf6d SHA-1: 3f27615a30cf3f48689da5943da579eff8b92f57 SHA-256: f3eab3226a066d4deb462b0b315e23efb60d47d994ba103ed4ea3332f89ccdb6
60 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 Malicious Link T1204.002 Malicious File

The PDF contains a heuristic firing for CVE_2008_2551, indicating an exploit for C6 Messenger DownloaderActiveX. It also contains an embedded URL pointing to system.exe, which is likely the secondary payload. The exploit is designed to download and execute this payload.

Heuristics 2

  • C6 Messenger DownloaderActiveX exploit critical CVE exact CVE_2008_2551
    PDF stream bytes contain HTML/ActiveX content configuring the vulnerable C6 Messenger DownloaderActiveX control with propDownloadUrl and propPostDownloadAction=run. This is the published exploit shape for CVE-2008-2551.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artisanballoonz.com/system/system.exe
    • http://c6.community.alice.it/download/DownloaderActiveX.cab#Version=1,0,0,1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00001259.bin
80ce46be3b4d5733393d911e720cc341eac961413bc8841086c1643fee9fc14b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1259 73272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.