Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f591a19946092ea…

MALICIOUS

PDF

40.5 KB Created: 2020-09-02 06:46:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a27994b4c27ba070f2957c6714922b9d SHA-1: 7767f2027b4daed15a01578a0f200056a28c445e SHA-256: 1f591a19946092ea23ca2ea98cf2212b2bd71b2a34eb31d68875748a1003590e
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains multiple embedded links, with one specifically identified as a malicious redirector. The document body, though partially corrupted, suggests a lure for an 'editable pajama party invitation template' and includes a call-to-action phrase, aligning with social engineering tactics. The primary malicious IOC is the redirector URL, which likely leads to further malicious content.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/pify?keyword=editable+pajama+party+invitation+template
    • https://static.usrfiles.com/ugd/f1780b_65d68df9ef8947ec88d0a531d177cdee.pdf
    • https://static.usrfiles.com/ugd/b910ae_b971349831094265b65331a46a341bce.pdf
    • https://static.usrfiles.com/ugd/097bd5_f1e2470e56e94d64b992dda4db4514c1.pdf
    • https://static.usrfiles.com/ugd/ea78e0_7b224b0afec543a2a4c672fd3a752395.pdf
    • https://static.usrfiles.com/ugd/b3bc21_ab2b6447c7c9439abac501168d846fef.pdf
    • https://cdn.shopify.com/s/files/1/0427/5548/9948/files/53466768679.pdf
    • https://cdn.shopify.com/s/files/1/0430/6426/2818/files/ruregizodagolokedaxem.pdf
    • https://static.usrfiles.com/ugd/a2c2bc_0696e9a217284dacb31631c5ad2bfd43.pdf
    • https://static.usrfiles.com/ugd/7198c1_9b19123747f74b48b2007393a434e88e.pdf
    • https://static.usrfiles.com/ugd/18122d_09599d389fd6452d89e79eee70c080c4.pdf
    • https://static.usrfiles.com/ugd/b8c837_7e1b23471f6f4d3e8f2d2802ff2bfa3d.pdf
    • https://static.usrfiles.com/ugd/0aab01_4e2a8e80c2e348b38094205d304113c5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000537f.bin
99f889ece4486135fdba2570c47ee277183c2ef68da00d5b9f0cd3f7d756cfd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x537F 5052 bytes
font_01_sfnt_off00006499.bin
207423f9a2c6ab10670705dcfed6d02c5a3867815e200e1d501c8258cc4dc00f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6499 10060 bytes
font_02_sfnt_off00008711.bin
cd94ef65598b1866d0653cdd88243d989fd81359c0e770c2d3a4858f1c2f6d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8711 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.