Malicious PDF — malware analysis report

Static analysis result for SHA-256 eac02246af588187…

MALICIOUS

PDF

41.7 KB Created: 2020-08-31 16:13:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 353f2af8a0e80e8d69d4c3d8fc6f22db SHA-1: e199529094a330daf4609bc0abefbec0171bcfcd SHA-256: eac02246af5881878f2fe471d2a81fc33215c6130c36355fa96327d164316ad2
128 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.001 Malicious Link T1059.001 PowerShell

The PDF document contains a significant number of embedded links, many pointing to Shopify domains, forming a link farm. One prominent link, 'https://ttraff.ru/wix?keyword=army+hipaa+training+pretest+answers', is identified as a malicious redirector. The document body, though heavily obfuscated, contains this same URL and a reference to 'Army HIPAA training pretest answers', suggesting a lure to trick users into clicking the malicious link. The presence of a visual download button further supports a deceptive workflow.

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.ru/wix?keyword=army+hipaa+training+pretest+answers
    • https://cdn.shopify.com/s/files/1/0431/6522/1028/files/rafuxelog.pdf
    • https://cdn.shopify.com/s/files/1/0436/9599/7096/files/datemedajemefozevasofeg.pdf
    • https://cdn.shopify.com/s/files/1/0435/2193/3466/files/papulagorinewugijax.pdf
    • https://static.usrfiles.com/ugd/b8c837_a69288762fdd4d4e88a891d3cd457972.pdf
    • https://static.usrfiles.com/ugd/739437_19d1334d57ba4552abef5b0f0caeee11.pdf
    • https://static.usrfiles.com/ugd/7f16bd_de4048a8ca8b4f5fb7ad02884558934b.pdf
    • https://static.usrfiles.com/ugd/837d34_38ea567f90464a1b89a20421fd41e67c.pdf
    • https://static.usrfiles.com/ugd/b8c837_17843f1b74f547aab2b79d085ca6893f.pdf
    • https://cdn.shopify.com/s/files/1/0433/5229/3541/files/rogowusulo.pdf
    • https://cdn.shopify.com/s/files/1/0429/3384/6175/files/lord_of_the_ring_torrent.pdf
    • https://cdn.shopify.com/s/files/1/0429/5937/2439/files/22124935027.pdf
    • https://cdn.shopify.com/s/files/1/0438/9843/7784/files/ai_no_katachi_ecchi_na_onnanoko_wa_kirai._desu_ka.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063d0.bin
e2427d66016e969b81d9385adc107d06aa20e5dacb6628cb748c1a95d850dac8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63D0 5384 bytes
font_01_sfnt_off0000760b.bin
45188f2551b59ea5a86c207d30a9784f48a930e25b7648887f4a68592d7d30ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x760B 10704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.