Malicious PDF — malware analysis report

Static analysis result for SHA-256 82a1ff77c453512b…

MALICIOUS

PDF

46.3 KB Created: 2020-09-01 01:21:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc2f834035b70814accc19e5d019ba90 SHA-1: e012e67b368d51f61748b036a9276b4942996288 SHA-256: 82a1ff77c453512ba22d051e80e6e5055e260a52bc9ba3ed4c7b3b5d61c99adc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF contains a high number of embedded links, with a critical heuristic firing for PDF_MALICIOUS_REDIRECTOR_LINK, pointing to 'ttraff.club'. This indicates the document is designed to redirect users to malicious infrastructure. The document body, though heavily obfuscated, contains the same URL, reinforcing its role as a lure. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=cornell+johnson+employment+report+2018
    • https://static.usrfiles.com/ugd/b8c837_612b98f10a354772a52a65cf8179cb66.pdf
    • https://static.usrfiles.com/ugd/de3d83_a1a6a7f795f744fc9d933272ba955785.pdf
    • https://static.usrfiles.com/ugd/77941b_0b2c43bf0d0a46dab3d3305e0c599dc0.pdf
    • https://static.usrfiles.com/ugd/bd5c68_53f60053cc5c49f590ef8c1a0460ae47.pdf
    • https://static.usrfiles.com/ugd/b8c837_96a059437a0649ac9aaf8f377b63c9d4.pdf
    • https://static.usrfiles.com/ugd/738632_b802aeac429e44a09976a38b1294c2f2.pdf
    • https://static.usrfiles.com/ugd/451461_1e29cddc17ae4dbe85a6bf662b1bcd03.pdf
    • https://static.usrfiles.com/ugd/b8c837_e9c4ddd1fcf14e5c8f4eefad11cccdba.pdf
    • https://static.usrfiles.com/ugd/b8c837_b9f395fc2c864c989723d751dcb105d5.pdf
    • https://cdn.shopify.com/s/files/1/0431/7600/1700/files/sumeduvojapidukuzajivuz.pdf
    • https://cdn.shopify.com/s/files/1/0434/4558/4033/files/45409637701.pdf
    • https://cdn.shopify.com/s/files/1/0433/5127/7726/files/.pdf
    • https://cdn.shopify.com/s/files/1/0432/1456/9640/files/mititebufosowe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://cdn.shopify.com/s/fil

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075d9.bin
14fa678408fd1fff6d269e52c732bb5af5c43461b8e68b102620c5bd92b3d8b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75D9 5452 bytes
font_01_sfnt_off00008848.bin
130caf3bbb483fc67686782c1f7bf78960c4ca87074a6e0b8ae765c9668114b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8848 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.