Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d10aaf8b7f59ef8…

MALICIOUS

PDF

50.4 KB Created: 2020-08-30 10:24:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a50f8c986b421d6d293e30ec07c219b1 SHA-1: 19071f67b5d64b268be9173a03c718947458eb71 SHA-256: 8d10aaf8b7f59ef850c443d8371dbd3ceb44c7bd0bf7a48780684cdb1707f331
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a link to a known malicious redirector, ttraff.cc, which is presented as a justification for absence. The document body, though heavily obfuscated, contains this URL and other benign-looking PDF links. The ML classifier also strongly indicated maliciousness. The primary attack vector appears to be social engineering via a malicious link within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=escrito+para+justificar+inasistencia
    • https://static.usrfiles.com/ugd/58a813_87e0606b36284fc48987971e57e071d9.pdf
    • https://static.usrfiles.com/ugd/544c7e_40858e85e5d046898e6d0ec7a0c6efd3.pdf
    • https://static.usrfiles.com/ugd/8ab72e_d174ae4adae74be88583bbb9a51c80f6.pdf
    • https://static.usrfiles.com/ugd/b8c837_9d68b757b6564f6597666d79b09c24aa.pdf
    • https://static.usrfiles.com/ugd/b8c837_56c778c42d384d11aaec11678f32ac8f.pdf
    • https://static.usrfiles.com/ugd/b8c837_a5d7dc1cfffc4c32bd88f0a002258f45.pdf
    • https://static.usrfiles.com/ugd/b85eb0_4cffaeb4d15a44708150769287dad629.pdf
    • https://static.usrfiles.com/ugd/b8c837_96ef957819994517b88d579f13cb03cc.pdf
    • https://static.usrfiles.com/ugd/cd79e3_f8947d0a0f3f48098aa789bb10ab4a5a.pdf
    • https://static.usrfiles.com/ugd/b8c837_1419d63d92f34f3ca6cab4cd2a702b00.pdf
    • https://static.usrfiles.com/ugd/d43733_4bbe15da43724118b4acacfe291b4364.pdf
    • https://static.usrfiles.com/ugd/1e4819_676282d3dd37416d93fc92fa544bca88.pdf
    • https://static.usrfiles.com/ugd/b8c837_449531be947f4abbbab4ac6ba5463b66.pdf
    • https://cdn.shopify.com/s/files/1/0428/9875/1641/files/sezozetumeraxeditup.pdf
    • https://cdn.shopify.com/s/files/1/0452/7711/8625/files/joystick_module_arduino_datasheet.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000085a0.bin
d40dfab6a59b088a1da5506924e60adaafec51a83e52a6faa72a346435c04697		 pdf-font-stream PDF embedded font (sfnt) at offset 0x85A0 5008 bytes
font_01_sfnt_off000096be.bin
0a139c2c9b43be08516a01edf089a60a12feee789d11e992ecb24c984969b52f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96BE 11788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.