Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bcc2916306e38bc…

MALICIOUS

PDF

64.0 KB Created: 2020-10-28 11:17:30 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 51efc8649dc91ba1532a3bccb77f37f9 SHA-1: 4559228e9643b5d2a077498e0fa2796df1398f4e SHA-256: 5bcc2916306e38bc98686979b1ed855006ed49344e8101d388677397820c363d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a critical heuristic firing indicating a malicious redirector link to 'https://ttraff.club/123?keyword=she+loves+math+graphing+polynomials'. This URL is likely used to deliver a secondary payload or redirect to a phishing site. The ML classifier also flagged the document as malicious with high confidence. The document body contains obfuscated text and embedded URLs, further supporting the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9572

Heuristics 2

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/123?keyword=she+loves+math+graphing+polynomials
    • https://sonuboguf.weebly.com/uploads/1/3/4/3/134310015/safejilarox_joxejo_falabu_jupeponakus.pdf
    • https://latenenagizogip.weebly.com/uploads/1/3/2/6/132696064/181eda.pdf
    • https://zufugorutamivas.weebly.com/uploads/1/3/4/4/134401118/vogelasedul.pdf
    • https://cdn-cms.f-static.net/uploads/4369308/normal_5f9086d4f4086.pdf
    • https://cdn-cms.f-static.net/uploads/4373757/normal_5f94cc002ac29.pdf
    • https://xakexoxos.weebly.com/uploads/1/3/4/3/134307698/cde2f9d7bf6ea3.pdf
    • https://zoxuzuxebexot.weebly.com/uploads/1/3/0/9/130969059/4045700.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://cdn.shopify.com/s/files/1/0268/7614/9947/files/solidworks_2015_downloads.pdf
    • https://s3.amazonaws.com/jiguwuzobozobaz/87283892127.pdf
    • https://s3.amazonaws.com/vitelitubovuluj/rosaperavidesovibe.pdf
    • https://s3.amazonaws.com/libosokune/kunoxoju.pdf
    • https://s3.amazonaws.com/tetazino/carnot_cycle_efficiency_derivation.pdf
    • https://s3.amazonaws.com/pugomonapoxuxe/cambium_vascular_function.pdf
    • https://s3.amazonaws.com/susopuzupure/may_month_calendar_2018.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000f13b.bin
6de5d668423a0f2a7c2201a8918a642abec8da40ffa94dd9ca3a5cb93886b1c8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF13B 4994 bytes
font_00_sfnt_off0000dea8.bin
2800d66ef5f3e6d811926ca818107a45fd6182034723e13dd4b37dc3535b8de1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEA8 5500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.