Malicious PDF — malware analysis report

Static analysis result for SHA-256 80e58ff40c80a253…

MALICIOUS

PDF

21.8 KB Created: 2020-09-17 01:03:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-09-15
MD5: 3d824c5e63d9483c777ab8100e5f4abb SHA-1: b92eabfa3a6493c0d44f927905a43efbdd2a9133 SHA-256: 80e58ff40c80a25399051ecac84bc43e826b111e45f274fde1d5051d6b329c79
182 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a large number of embedded links, many of which point to disposable hosting or redirector infrastructure. The primary URL, https://ttraff.club/wix?keyword=find+the+slope+given+two+points+worksheet+doc, suggests a lure to trick users into downloading further content. The ML classifier strongly indicates maliciousness, and the link farm behavior is a common tactic for distributing malware or conducting phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=find+the+slope+given+two+points+worksheet+doc In PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://171d0b28-4cbb-4a56-8e14-92d080c69f55.filesusr.com/ugd/efc97f_1bd1c31fa9dc4ddd8ee36bba12355526.pdf?index=trueIn PDF document text
    • https://9c670ae2-7d38-48f7-aaa7-6ca4c246937e.filesusr.com/ugd/39cb9d_f62e976024ba436c9d462d16ed290682.pdf?index=trueIn PDF document text
    • https://6a253ec8-6d74-45ec-b47a-a19cd91f5c79.filesusr.com/ugd/011e4b_ce8c4aab68be40f68e61c0f5bbe574b7.pdf?index=trueIn PDF document text
    • https://818530b3-0430-4a33-9184-81ff08ee5c02.filesusr.com/ugd/c33cdb_71f6945c50b548e7b6f011ca998b9ce7.pdf?index=trueIn PDF document text
    • https://6b86eb0d-40a6-4650-ad95-9c06ac74fd8e.filesusr.com/ugd/d216cb_38bb6753f7f84f379de7d504b410fbb5.pdf?index=trueIn PDF document text
    • https://9f38e598-0eb6-4ab4-b425-6297cbffd2b3.filesusr.com/ugd/33ab24_acceefce51404c91b79c8c3a8bb9fb81.pdf?index=trueIn PDF document text
    • https://cdn.shopify.com/s/files/1/0428/1031/0822/files/nabuvefoxovajutazav.pdfIn PDF document text
    • https://cdn.shopify.com/s/files/1/0456/9946/5372/files/tenikuxoxewajewuf.pdfIn PDF document text
    • https://6d36bd65-e2a0-4753-ab35-5260af711913.filesusr.com/ugd/ab922d_ed1cd6c09d874bb6afae666bd20ef1f8.pdf?index=trueIn PDF document text
    • https://6081803a-3db9-471a-9e19-c27c079f0f99.filesusr.com/ugd/ea2f88_59d4f2f73de64f74a6508b0f3c1e30c1.pdf?index=trueIn PDF document text
    • https://9b35f37d-0256-45b1-b8f5-cf525fb70a17.filesusr.com/ugd/1fbf8b_ad5a54fe48b24ad5b94c846611b924cb.pdf?index=trueIn PDF document text
    • https://9b15107e-0e6a-4665-b0dc-57da0838c4ba.filesusr.com/ugd/61b8bf_9e479d82ff43431b860e48a132b46c9b.pdf?index=trueIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047f0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x47F0 5296 bytes
SHA-256: da24fea8234d9d100bb7c49598a9d18d391298a6b73e54948118cc1409f7ff48

Open this report in the interactive analyzer, or submit your own file for analysis.