Malicious PDF — malware analysis report

Static analysis result for SHA-256 50e444c4b52a6faf…

MALICIOUS

PDF

64.4 KB Created: 2020-08-30 21:21:20 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 96e9c2050bf39fbc27c6239c24a90a50 SHA-1: 38d7f66754072469e0c875b4109768e266ac42a5 SHA-256: 50e444c4b52a6faff44ef3427d4e68cb53f28b3515352692592afd209ecc03b2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged as malicious due to the presence of a redirector link pointing to 'https://ttraff.club/wix?keyword=school+girl+tight+pussy'. This indicates an attempt to lure users to a potentially harmful website. The document body, though heavily obfuscated, also contains this URL, reinforcing its malicious intent. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=school+girl+tight+pussy
    • https://static.usrfiles.com/ugd/ae059d_4a595dce56284911a77bbb945a825a51.pdf
    • https://static.usrfiles.com/ugd/e42ee3_4b7a49e1edff41cf9014bb9264a98248.pdf
    • https://static.usrfiles.com/ugd/a771bd_83dbf67e95c54c758813dddf0b8b6ae2.pdf
    • https://static.usrfiles.com/ugd/451461_01a63b007ee74ac580d7014e0dbda740.pdf
    • https://static.usrfiles.com/ugd/b8c837_3f47abcdb9904945a9c1c2bf44638d6d.pdf
    • https://static.usrfiles.com/ugd/b8c837_8af2958918294897a28c4037d4c9908c.pdf
    • https://static.usrfiles.com/ugd/67f5f7_107564ba3f9e4b43b66b827087d74838.pdf
    • https://static.usrfiles.com/ugd/822ecd_b597dc685c6c473a8f1afbe79eaf483a.pdf
    • https://cdn.shopify.com/s/files/1/0436/1083/3058/files/noboxugajirarobeworu.pdf
    • https://cdn.shopify.com/s/files/1/0432/3459/0888/files/33254804398.pdf
    • https://cdn.shopify.com/s/files/1/0437/0730/2037/files/caboolture_train_line_timetable.pdf
    • https://static.usrfiles.com/ugd/ecec20_5e79256920ac4cf9aa5028e2ddb00180.pdf
    • https://static.usrfiles.com/ugd/b8c837_841a276aa1df44f2a5fb74083887c82a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bbdf.bin
b414240f09d29543c49b6f613cbf0103f7f266c0ad8ca889aa0c08bd1e0d56cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBDF 5192 bytes
font_01_sfnt_off0000cd84.bin
4407dc814c86301d533a987af42b4c3a55667e0784dc8657becb5e114e8b0bad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCD84 12084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.