MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF document contains a significant number of embedded links, many pointing to Shopify domains, but one critical link redirects to a known malicious domain, ttraff.ru. This suggests a link farm or SEO poisoning tactic to lure victims. The document body, though heavily obfuscated, contains the search query 'bubble sort c pdf' and the malicious URL, indicating a social engineering attempt to trick users into clicking the link. No scripts were extracted, but the presence of numerous links and the malicious redirector strongly suggests a phishing or redirection attack.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/pify?keyword=bubble+sort+c+pdf
- http://files.gktfreechurch.com/uploads/1/3/0/7/130776401/rarireletasexi.pdf
- http://files.thebetterbrasspipe.com/uploads/1/3/2/7/132740218/daf3e1d8396c143.pdf
- http://files.rockfieldpc.com/uploads/1/3/1/4/131454216/moziturovi_wotaribezijezoj_monep.pdf
- http://files.southkravmaga.co.uk/uploads/1/3/2/6/132682990/7489f89.pdf
- https://cdn.shopify.com/s/files/1/0433/4895/1194/files/the_mistress_manual.pdf
- https://cdn.shopify.com/s/files/1/0431/0990/8642/files/tifojatejalenorafizudube.pdf
- https://cdn.shopify.com/s/files/1/0436/0696/6429/files/81305291818.pdf
- https://cdn.shopify.com/s/files/1/0428/7427/3948/files/myself_essay_in_french.pdf
- https://cdn.shopify.com/s/files/1/0431/7878/6965/files/reviruwonero.pdf
- https://cdn.shopify.com/s/files/1/0432/9986/4734/files/42076146936.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/17524121831.pdf
- https://cdn.shopify.com/s/files/1/0432/7063/5678/files/gebelisuruwa.pdf
- https://cdn.shopify.com/s/files/1/0438/7618/8315/files/javascript_zero_pad.pdf
- https://cdn.shopify.com/s/files/1/0448/9006/3003/files/dubai_map_hd.pdf
- https://cdn.shopify.com/s/files/1/0434/1065/3338/files/54660806232.pdf
- https://cdn.shopify.com/s/files/1/0429/7159/4911/files/70624994269.pdf
- https://cdn.shopify.com/s/files/1/0437/6294/2101/files/zezatidesa.pdf
- https://cdn.shopify.com/s/files/1/0438/9906/0392/files/cours_analyse_2_smpc.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0000653e.bin048b04c1bfffabd8a595eb4eb18e8b6a65cb2437d6fa6852587a0dcc05aed7e2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x653E | 5128 bytes |
font_01_sfnt_off000076ba.binc2d0008c484d022d5f1b56adaa50e0ef2a77a7f8437c28612a27d675a87aaae2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x76BA | 16712 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.