Malicious PDF — malware analysis report

Static analysis result for SHA-256 abe13f5b8cecad7e…

MALICIOUS

PDF

40.3 KB Authoring application: GIMP
MD5: 5e8378b7f7838f30d217f1d1b56e1808 SHA-1: 978cdd40153fef9add7cf6d4262d69741e829e92 SHA-256: abe13f5b8cecad7ed4469c58c8de80049ef86e891704a58bf422235acb3336c2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, a technique often used for SEO manipulation or to host phishing content. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating the file's likely purpose is to redirect users to malicious or deceptive content hosted on domains like talaldaoud.com.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://talaldaoud.com/uploads/1/3/0/8/130873730/1746547.pdf
    • http://rnytee.com/uploads/1/3/0/9/130968931/7191832.pdf
    • http://ngsprephoops.com/uploads/1/3/0/5/130550704/safufabug.pdf
    • http://www.archiveauto.us/uploads/1/3/0/5/130539107/7624722.pdf
    • http://mikelatt.com/uploads/1/3/0/3/130379243/mivekosutekuzumutaf.pdf
    • http://yourakashicrecord.com/uploads/1/3/0/6/130605229/ladosudemewopur-morakiridaxa-pasagopijuk-jafemetaxo.pdf
    • http://nicksportsmassagetherapy.com/uploads/1/3/0/5/130546283/putezifiduwim-rilexuvanixesal-kapimo.pdf
    • http://miguelsanomovie.com/uploads/1/3/0/5/130548070/0f68c7a4.pdf
    • http://madeformediamarketing.com/uploads/1/3/0/6/130621303/27778b8f8.pdf
    • http://appartementverhuur.com/uploads/1/3/0/8/130874165/49bec7.pdf
    • http://shopbombbomb.com/uploads/1/3/0/7/130739333/c6189be15a4280.pdf
    • http://solargenius.com.au/uploads/1/3/0/6/130640102/xelem.pdf
    • http://gamesleeves.com/uploads/1/3/0/6/130604798/tokofivenub.pdf
    • http://centralvalleybaptistcascade.com/uploads/1/3/0/7/130740128/de810c825c5b.pdf
    • http://holygifting.com/uploads/1/3/0/5/130543057/2170765.pdf
    • http://www.troypriest.com/uploads/1/3/0/3/130313671/nonesogazoja.pdf
    • http://delipure.nl/uploads/1/3/0/8/130873880/2ffcfe.pdf
    • http://sdsuoxford.com/uploads/1/3/0/3/130323449/futubagimexozokadaro.pdf
    • http://engagedencounterutah.org/uploads/1/3/0/3/130312929/6752786.pdf
    • http://www.truthinfoundations.com/uploads/1/3/0/6/130621951/giwasapelipusodame.pdf
    • http://shikuangzuqiu2013buding.br3h.com/uploads/1/3/0/2/130272353/130272353.html#adeste+fideles+organo+partitura
    • http://sdsuoxford.c

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e52.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E52 2652 bytes
font_01_sfnt_off00003ade.bin
d95cbd9b53608364d43f5de502eaa35dd0e170ecf15d44c2b39bea319d9e56fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3ADE 9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.