MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious Link
The PDF contains multiple heuristics indicating malicious intent, including a critical finding for a malicious redirector link and a link farm. The document body, though heavily obfuscated, contains text related to 'Ansible modules pdf' and 'wkhtmltopdf', suggesting a lure. The primary malicious IOC is the redirector URL, which likely leads to further stages of an attack. The ClamAV detection further supports the malicious classification.
Heuristics 5
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Recovery secret / private key request critical SE_SECRET_RECOVERY_LUREDocument requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
-
ClamAV: Pdf.Dropper.Agent-9108665-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-9108665-0
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=ansible+modules+pdf
- http://files.bamboolearners.com/uploads/1/3/1/6/131606256/b9d05f0b185252.pdf
- http://files.beechstreetcenter.org/uploads/1/3/0/7/130739311/570884.pdf
- http://files.katianailedit.com/uploads/1/3/0/7/130775265/180496b.pdf
- https://cdn.shopify.com/s/files/1/0434/7569/7830/files/dekebutumewi.pdf
- https://cdn.shopify.com/s/files/1/0427/9900/5863/files/fesisejuwopuduwikokux.pdf
- https://cdn.shopify.com/s/files/1/0433/8581/5205/files/tidotizukevamikezoki.pdf
- https://cdn.shopify.com/s/files/1/0428/1437/4047/files/12537544165.pdf
- https://lipodixo.files.wordpress.com/2020/06/24019774272.pdf
- https://kajulak.files.wordpress.com/2020/07/magimepitabaso.pdf
- https://banakaximox.files.wordpress.com/2020/06/gezuketepazabasafolinifi.pdf
- https://roxigisap.files.wordpress.com/2020/07/nivokefoxabozesuruf.pdf
- https://babibased.files.wordpress.com/2020/07/79624036049.pdf
- https://cdn.shopify.com/s/files/1/0427/5198/3772/files/70374869602.pdf
- https://cdn.shopify.com/s/files/1/0433/6871/0309/files/nolagujabokejusoxa.pdf
- https://cdn.shopify.com/s/files/1/0436/9462/0837/files/dabupan.pdf
- https://cdn.shopify.com/s/files/1/0429/6006/0567/files/210599405.pdf
- https://cdn.shopify.com/s/files/1/0435/8438/9275/files/37813525432.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/26965864763.pdf
- https://cdn.shopify.com/s/files/1/0434/2205/6600/files/24599843263.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off0001ac04.bin134c98d7b3f5b1983e5908fb3c297fc1189e46cf6c5ac58678d4e8f3df6f1fc0 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1AC04 | 4812 bytes |
font_01_sfnt_off0001bc36.bin9ebcb266fb112fbdc1573b26faea96b8104c7b2e42da2b4decb469015b323270 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1BC36 | 15204 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.