PDF malware analysis — malicious · ce35d07dae969f10

MALICIOUS

PDF

44.4 KB Created: 2020-08-09 06:54:19 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 8afe22df6cc3976f7be425968f86dfad SHA-1: d4be47b4ca86b6449f8d4ad79ad3869a8c3a86e5 SHA-256: ce35d07dae969f10eb1825adf6a0dfc9550505d9d8e70b78da9b471fd4628eb5

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a mass external link farm, with a critical heuristic firing indicating a link to known malicious redirector infrastructure. The primary malicious URL identified is https://ttraff.com/pify?keyword=cengage+maths+jee+mains+pdf. This suggests the document is designed to redirect users to malicious content, likely for phishing or malware distribution. No scripts were extracted, limiting the analysis of direct execution capabilities.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=cengage+maths+jee+mains+pdf
- http://jowureru.signcentraltn.com/uploads/1/3/0/7/130775320/worojanugufi_misewiji.pdf
- http://files.transformurlifetoday.com/uploads/1/3/0/7/130776273/jasinivutij_pirebijazov_nejojoji.pdf
- http://files.acekitchensandwardrobes.com.au/uploads/1/3/2/6/132695546/2734105.pdf
- https://cdn.shopify.com/s/files/1/0434/5636/4709/files/94661086986.pdf
- https://cdn.shopify.com/s/files/1/0436/9114/7417/files/wokepidesur.pdf
- https://cdn.shopify.com/s/files/1/0430/0632/8995/files/pigakukiwofitoloreraven.pdf
- https://cdn.shopify.com/s/files/1/0440/4733/5574/files/1993_ford_taurus_sho.pdf
- https://cdn.shopify.com/s/files/1/0441/3744/7576/files/vista_recovery_disks.pdf
- https://cdn.shopify.com/s/files/1/0433/2571/8678/files/file_b_kha_khng_cho_in.pdf
- https://cdn.shopify.com/s/files/1/0434/7943/3382/files/56199472766.pdf
- https://cdn.shopify.com/s/files/1/0428/7430/6719/files/59069258708.pdf
- https://cdn.shopify.com/s/files/1/0433/0163/4213/files/91146662661.pdf
- https://cdn.shopify.com/s/files/1/0434/2136/8482/files/luwelanokanuzip.pdf
- https://cdn.shopify.com/s/files/1/0431/5552/1687/files/99051116203.pdf
- https://cdn.shopify.com/s/files/1/0429/7513/3859/files/zukazuzasu.pdf
- https://cdn.shopify.com/s/files/1/0428/7243/8947/files/bukuji.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://cdn.shopify.com/s/f

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006427.bin` `660605990a98bfb249e2ce0635716632c99cdc0f5b9248bdfaa933e5626a4e0b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6427	5308 bytes
`font_01_sfnt_off00007611.bin` `21a7146106e2ad29a4dcc6aa55cee169416400570e2b3d493b6d071cb256f2f3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7611	1936 bytes
`font_02_sfnt_off00007f53.bin` `7239c1727c0d52f6cd5938a8e7fdc3c43e33a639d90c913211966d2c7ddf5ed5`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F53	10800 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.