PDF malware analysis — malicious · fa7c93ccffb0defe

MALICIOUS

PDF

37.5 KB Created: 2020-10-16 18:48:31 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-05-15

MD5: b89f2086c801dccae733225173b93364 SHA-1: b861d4ba9b9f74238283796ef73b747daaf89abd SHA-256: fa7c93ccffb0defe84e4796dc5f86fc6d1fefd1ea2d8da68671e59c768243dfb

194 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links, many pointing to redirector infrastructure like 'ttraff.com', which is flagged as malicious. The document body, though heavily obfuscated, contains a URL that appears to be part of a phishing lure for an Acer tablet. The presence of multiple external PDF links suggests an attempt to create a link farm for SEO manipulation, likely to distribute malicious content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Image lure linking to an SEO redirector (free-download phishing) high PDF_SEO_UTM_REDIRECTOR_LINK

PDF embeds an image with little or no body text and a clickable link to a multi-word utm_term / FeedBurner-proxied SEO redirector — the 'free ebook / solution-manual / document download' phishing family that ranks for natural-language search queries and routes the user into a payload/redirect chain. The PDF carries no exploit; the risk is the linked destination. Flagged structurally (image lure + SEO redirector) so it does not depend on a ClamAV/ML signature, and regardless of how many filler text pages the lure carries.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=acer+tablet+android+7.0 In PDF document text
- https://cdn-cms.f-static.net/uploads/4366003/normal_5f874fdc17b8c.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4365555/normal_5f8727d8673b6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4368735/normal_5f87875233420.pdfIn PDF document text
- https://genigudepa.weebly.com/uploads/1/3/1/0/131070712/bagatazojiz_sidatasofugugor_sofaxazute_gureluf.pdfIn PDF document text
- https://nikokabiliru.weebly.com/uploads/1/3/1/4/131409463/e36a623e4e.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366010/normal_5f875a1f1c2c6.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4375083/normal_5f89374497620.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366632/normal_5f87afb7a0459.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370266/normal_5f89b13d7b7c8.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4372721/normal_5f8976f0e48d5.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4366305/normal_5f88b8d5c3761.pdfIn PDF document text
- https://cdn-cms.f-static.net/uploads/4370068/normal_5f890287aef25.pdfIn PDF document text
- https://rabifupokuwu.weebly.com/uploads/1/3/1/1/131164250/5734794.pdfIn PDF document text
- https://mivosubewo.weebly.com/uploads/1/3/1/4/131407796/nurofig_teburovuxi_finona.pdfIn PDF document text
- https://dutitujazekap.weebly.com/uploads/1/3/0/8/130814390/1158663.pdfIn PDF document text
- http://www.ascendercorp.com/In PDF document text
- http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
- https://uploads.strikinglycdn.com/files/564233d2-0b9d-41ac-8049-821ac7513b4d/vupivedeli.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/5562f661-78fb-4eaf-abf2-debada07a2d0/sojosive.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/a9202958-a9af-4e0b-9071-4faad336108b/79821278366.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/fbe5f95f-964c-4481-9425-f4dba1b02edc/woxewalapu.pdfIn PDF document text
- https://uploads.strikinglycdn.com/files/bf464683-5f8a-46d4-9395-3a76290f6178/duwavumuti.pdfIn PDF document text
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://ns.adobe.com/xap/1.0/rights/In PDF document text
- http://scripts.sil.org/OFLIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005411.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5411	5136 bytes
SHA-256: `ea7c2911f6a760a666bb21ce20530650d3bc4cd189994c6acf255d8ba7814aab`
`font_01_sfnt_off00006591.bin`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6591	10468 bytes
SHA-256: `c2a8b734708ff409800ce6961505d949b0b7b5db3a109475ca3c4aa49e46bc83`

Open this report in the interactive analyzer, or submit your own file for analysis.