Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e5de77f9a45247a…

MALICIOUS

PDF

45.6 KB Created: 2020-09-18 20:28:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00b152c56346a5c20d33024dbe9597cd SHA-1: d56dfe30989062f7597c77e213743ca54361ba8f SHA-256: 8e5de77f9a45247a12163c623c4853c10fdce976ad385895c923d738751bc126
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a malicious redirector link pointing to ttraff.com, which is a known malicious domain. Additionally, the document exhibits characteristics of a PDF link farm, with numerous external links, likely for SEO manipulation or to distribute further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.com/wix?keyword=unidad+2+etapa+1+ws%25237+answers
    • https://1f3ab236-91
    • https://1b18a8ef-70da-4bde-ab59-a6541588812f.filesusr.com/ugd/50988c_df9e339328244fb28d01f8c67047f838.pdf?index=true
    • https://14da9c48-9148-4c5e-93f8-725926edf0e9.filesusr.com/ugd/e643da_9e0f5c8855ff4c4a8804a538b046637f.pdf?index=true
    • https://b371dde2-cc5c-4b58-b231-d4fa367df91b.filesusr.com/ugd/06497e_167db1e2e2a549d1842538fad8800b4d.pdf?index=true
    • https://5cb56aa4-8895-4894-a023-b0dc8f82906c.filesusr.com/ugd/8a05ec_84dc2fa25de44dbda58bc94aac31bb32.pdf?index=true
    • https://0922c5e7-68e2-4494-bc65-89e4efe37d30.filesusr.com/ugd/e50c99_3aebabf752a34bbe923c4270283b1793.pdf?index=true
    • https://852c3384-3772-405f-b05a-978223b64b5c.filesusr.com/ugd/e745be_3d0c726e1f2b41b2b2ac5bc4a4eaf117.pdf?index=true
    • https://cdn.shopify.com/s/files/1/0430/7858/2439/files/750350374.pdf
    • https://cdn.shopify.com/s/files/1/0433/8014/6343/files/wireless_cctv_camera_installation_guide.pdf
    • https://fa350b60-1980-491c-8ece-3e6ad1558e41.filesusr.com/ugd/34e21e_dece33327fcb45399689d5269957cb6f.pdf?index=true
    • https://1f3ab236-91cd-4bd6-b714-8bec883a64c2.filesusr.com/ugd/5e8de6_5e54be800b424a27a9b08ad63f587b3b.pdf?index=true
    • https://21a6897d-40a2-417c-9fb1-2343491da91b.filesusr.com/ugd/d1c05f_aec249e9acff42259d01408ab96cccda.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074bc.bin
93f1ae1f43d97e564132f96a741ed5d49e7f3c162891766c5baad67264278689		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74BC 5092 bytes
font_01_sfnt_off00008640.bin
28d118151f62d2b6666cb09a453a9550258424f412048ba09cbc80321e4cb11b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8640 10468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.