PDF malware analysis — malicious · c33cf3889c8d14f2

MALICIOUS

PDF

33.6 KB Created: 2020-09-18 19:17:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-23

MD5: 14fed24604945918bf8072c964815ecc SHA-1: fc31bf2f69e66ecb721f2cba7ff0be122cd20a77 SHA-256: c33cf3889c8d14f29262a97c39ae243f5a1199a208188423e6bfce3ab866931d

184 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links, many of which point to disposable hosting and appear to be part of a link farm designed to obscure malicious redirects. One critical heuristic identified a link to known malicious redirector infrastructure, specifically 'ttraff.link', which is used to deliver a 'root installer apkpure'. This suggests the document is a lure to download potentially malicious software.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM

Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.link/wix?keyword=root+installer+apkpure In PDF document text
- http://gavesesum.stephens.org.uk/uploads/1/3/0/7/130739431/07c0457c2f340.pdfIn PDF document text
- http://files.lahainalunamusic.org/uploads/1/3/1/4/131438641/3567903.pdfIn PDF document text
- http://letuwa.callihanenglish.com/uploads/1/3/1/6/131637352/giriguladewedat_monemamuruja_zilojenomijas_vixolireve.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://bf75ca6e-5bd0-40df-8bcc-a76fbfa23adf.filesusr.com/ugd/0c268c_e0e311d5de62469798196410d1e1372f.pdf?index=trueIn PDF document text
- https://59c3afab-b47a-4317-afc2-26503c626737.filesusr.com/ugd/e23fbb_47f0bb470273431787635328450f4f82.pdf?index=trueIn PDF document text
- https://017e67f5-2db6-4e38-b735-4bd5fd8ae1e6.filesusr.com/ugd/bae363_1cc49d9261da47218366f4641ef1ed5c.pdf?index=trueIn PDF document text
- https://1ed75e37-eedb-4d5a-999c-f48bc74632d4.filesusr.com/ugd/ea2f88_ac96657211aa411783c3d2c671a0e4ff.pdf?index=trueIn PDF document text
- https://7735c3ab-1904-4de6-bee0-f1a8850c04a1.filesusr.com/ugd/c63bf9_ac4bdb5da29a482f9393604bd6f2ab87.pdf?index=trueIn PDF document text
- https://23b9898e-4888-4956-baba-1386d5e3349c.filesusr.com/ugd/f55bec_f0e8de07d34249dd8532fd2d202c5df0.pdf?index=trueIn PDF document text
- https://2f1b22d3-2d07-4b49-be8a-6ac18b04b240.filesusr.com/ugd/a467d2_17a2108437b14d05b75a2f320f078611.pdf?index=trueIn PDF document text
- https://f6e319a4-713a-483d-b235-f73977ff8f3b.filesusr.com/ugd/974a4e_5a74700a305941d9a01613f9387fe289.pdf?index=trueIn PDF document text
- https://646cfcb6-39f8-48a5-b15e-04d0647ade7c.filesusr.com/ugd/dba42a_e69fdaa2726e4813b29f79f44fdc2a2f.pdf?index=trueIn PDF document text
- https://8b2b8c5c-f8cc-4750-a1cc-152a5d2d52b8.filesusr.com/ugd/bb05c1_c49d744bbc3949e28ec356dadda24b22.pdf?index=trueIn PDF document text
- https://cdn.shopify.com/s/files/1/0430/9378/6791/files/lofizusegijedisutuxoku.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/1660/1249/files/36099120798.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0433/3748/2405/files/angry_birds_transformers_list_of_characters.pdfIn PDF document text
- https://cdn.shopify.com/s/files/1/0432/0716/4064/files/justification_report_generation_utility_2._2.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000048c7.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x48C7	4884 bytes
SHA-256: `d2ea3164f54f1a37307e7cd32fd71234e8e5f83199ac02e03f77ec89bfefe5bb`
`font_01_sfnt_off00005974.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5974	9468 bytes
SHA-256: `880ee3228a103bd5424d8171557d04e9c79354394c623382a95abc3069726acb`

Open this report in the interactive analyzer, or submit your own file for analysis.