MALICIOUS
160
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 User Execution: Malicious Link
The PDF contains a lure related to cracking Aadhaar card passwords, directing users to a malicious redirector. It also exhibits characteristics of a link farm, embedding numerous external links, many of which point to benign Shopify URLs but are likely used to inflate search engine rankings. The presence of a password protection lure suggests the document itself may be a decoy to encourage the download of a separate, password-protected malicious payload.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LUREDocument gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=aadhaar+card+pdf+password+cracker+online
- http://files.csuwritingproject.net/uploads/1/3/0/7/130739704/ad4b0c9cd8cea39.pdf
- http://files.windycityknittingguild.com/uploads/1/3/1/3/131381363/jubokodu-xuwekuketapemul-fikevapuxarev.pdf
- http://files.rivermenrodandgunclub.com/uploads/1/3/2/3/132302973/nomegariwutok-wibiwu-visinatixubuj-sojimuta.pdf
- https://cdn.shopify.com/s/files/1/0435/6512/1695/files/camera_calibration_chessboard.pdf
- https://cdn.shopify.com/s/files/1/0434/5082/6919/files/47383170436.pdf
- https://cdn.shopify.com/s/files/1/0431/0063/5290/files/rst_form.pdf
- https://cdn.shopify.com/s/files/1/0434/5017/1554/files/bsc_magazine_october_2020_download_in_english.pdf
- https://cdn.shopify.com/s/files/1/0428/2066/5510/files/jipuzezote.pdf
- https://cdn.shopify.com/s/files/1/0431/7629/6614/files/free_style_trucking_inc_blue_island_il.pdf
- https://cdn.shopify.com/s/files/1/0430/6498/3703/files/tapedejanijadijupun.pdf
- https://cdn.shopify.com/s/files/1/0431/5168/7837/files/present_perfect_simple_exercises_with_answers.pdf
- https://cdn.shopify.com/s/files/1/0433/6074/7688/files/83798748377.pdf
- https://cdn.shopify.com/s/files/1/0450/5042/9598/files/circular_buffer_java.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000066ef.bin58793aae0590f374e72db96c95626a7cd9d1fe223feb4f391bdf966fae00d8d1 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x66EF | 5388 bytes |
font_01_sfnt_off00007948.bin414d786b459f0f5d2a731291ef1b870d88176140611ada2eab9f82aaf6e76e23 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7948 | 1940 bytes |
font_02_sfnt_off0000827e.bincc7c57ea7721a28a3a73888ea4a4153447c9bd41a9fb26e4e6798293b8df2794 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x827E | 10228 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.