Malicious PDF — malware analysis report

Static analysis result for SHA-256 976f96e58e4e0583…

MALICIOUS

PDF

42.4 KB Created: 2020-09-07 06:10:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 910c3b343c2b2f92aeb789a876a75887 SHA-1: 707272a10c903a50e8f40f5ad5247ff4548e95a9 SHA-256: 976f96e58e4e0583a4a6700913d248fb6740fe93c77e87234efade27e2ea41da
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm and a critical heuristic firing for a malicious redirector. The document body, though partially corrupted, contains text related to 'dsssb ldc answer key' and the malicious URL 'https://ttraff.link/wix?keyword=dsssb+ldc+answer+key'. This suggests a social engineering lure to direct users to a potentially harmful site. No scripts were extracted from this sample.

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.link/wix?keyword=dsssb+ldc+answer+key
    • https://static.usrfiles.com/ugd/defcb2_026262e7f23a471d9c5d04ae60784349.pdf
    • https://static.usrfiles.com/ugd/4c1554_a60b7eb09b5246f8ac6bbefba3a7d956.pdf
    • https://static.usrfiles.com/ugd/b8c837_5c1f2cc44e1941a7b05bf5c0715eae8f.pdf
    • https://static.usrfiles.com/ugd/e4ee87_e66762b61b994f8abdf3093ee55b41f5.pdf
    • https://static.usrfiles.com/ugd/85c99c_18770bfcf59447fbac38f37b3bc0a762.pdf
    • https://static.usrfiles.com/ugd/98d639_19e2c21222334a4bb919d1ed68d51e5c.pdf
    • https://static.usrfiles.com/ugd/b3bc21_fc1ee1c5708246a6a60e376db8b9ce27.pdf
    • https://static.usrfiles.com/ugd/b8c837_1222179c8d6948a5a40eb6c91c9f5962.pdf
    • https://cdn.shopify.com/s/files/1/0437/9613/6097/files/73512864502.pdf
    • https://cdn.shopify.com/s/files/1/0431/5525/9560/files/50918149070.pdf
    • https://cdn.shopify.com/s/files/1/0435/7816/3363/files/ssrs_cdate_format.pdf
    • https://cdn.shopify.com/s/files/1/0431/6217/3602/files/nejukapona.pdf
    • https://cdn.shopify.com/s/files/1/0457/0352/8604/files/copy_reading_exercises_journalism_with_answers.pdf
    • https://cdn.shopify.com/s/files/1/0431/9654/7230/files/78657022050.pdf
    • https://cdn.shopify.com/s/files/1/0433/9276/2017/files/7691594306.pdf
    • https://cdn.shopify.com/s/files/1/0436/3576/9497/files/sad_meme_music.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006547.bin
10a4632bf1298b4b00f115a59e1dcd082c905d7cb9d28bf74d3cb13ff66136bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6547 5332 bytes
font_01_sfnt_off00007792.bin
e7fcd551e2db6c428468321f6e4f4f49035ab54126d1cfeaa6ac780622c8df8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7792 10636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.