Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e38567eb5a96284…

MALICIOUS

PDF

41.0 KB Created: 2020-09-09 07:42:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 02747a63e9d558a7395ae0b2821e7f40 SHA-1: a50475f09c401cf9e74a15482fa34ecee0539c0b SHA-256: 2e38567eb5a962843b37ba56dd490b7c996d97bc498d815d628b403c5c490008
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a critical heuristic firing indicating a malicious redirector link. The embedded URL, https://ttraff.club/wix?keyword=ser+bachiller+preguntas+2018+pdf, is the primary indicator of malicious intent. The document body, though heavily obfuscated, contains text related to 'Ser bachiller preguntas 2018 pdf', suggesting a lure to trick users into clicking the malicious link. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=ser+bachiller+preguntas+2018+pdf
    • https://cdn.shopify.com/s/files/1/0428/9835/8432/files/71340125447.pdf
    • https://cdn.shopify.com/s/files/1/0430/8012/2532/files/puratawufetuvigugupuw.pdf
    • https://cdn.shopify.com/s/files/1/0436/0758/9027/files/21263151102.pdf
    • https://static.usrfiles.com/ugd/008e52_54dcb4f7663e474cb680bbcd2ff61560.pdf
    • https://static.usrfiles.com/ugd/4bdc6d_b4629a5c0eb24fa2964f96f819f95633.pdf
    • https://static.usrfiles.com/ugd/7e0eb0_3c253772f7464430a5ef97297bb46dda.pdf
    • https://static.usrfiles.com/ugd/1479de_974e4195d5db4e18ba567b82c58daf8b.pdf
    • https://static.usrfiles.com/ugd/aff7ca_6779da98fc644b989312af0df032e4bc.pdf
    • https://static.usrfiles.com/ugd/d43733_a034b80a7c2e47ac88541572d8e843b9.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aff.bin
86b40bc9320508e8a560b2d05d7d2d2667e8efbca01abc92d866d6e9d232b6c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AFF 6180 bytes
font_01_sfnt_off00006ffd.bin
9f9917cd1e6c8274739a7e054749f5c3dc14ac8fa3a5ad8cfd918f651b811e12		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FFD 11784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.