PDF static analysis report

Static analysis result for SHA-256 6f7fb2b5fd6b3a45…

SUSPICIOUS

PDF

64.7 KB Created: 2016-12-26 17:44:34 +08:00 First seen: 2018-10-07
MD5: cb833e967ec8bf31ed76f4463d5782f0 SHA-1: da5ad336c00122626c41c9ac7b756ca447a962be SHA-256: 6f7fb2b5fd6b3a454149f23abc298936970e316c510be53f6aeeaa18092f9dff
32 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0355

Heuristics 2

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hQwmfPhtk_hwax16204095o_k.pdf In PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xfeQckcbxh_vvQQeocQxJnGhox16203817mx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/txelf16203815GeQP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/mxcxe16203800PG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/YeGakQbz_PowxzikGlo16203812_G.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/coh_dakPavlJvaQnJb_xdf16204094isG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sufeJevQmxnlQwwfuc16203792d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kcPfdbGhboufeGa_mPnurJ_tG16204577PxfP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lv__vwJvtemzlPnsmrokPnfctm16204096bkJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rnvPYronu__Qkzubfkcizrh16204184_wJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_hmushrlttrQl16204085df.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xvtanhtY_flzJzrlkrYkezhwdP16203790cz.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hkk_snzuzbYfQmaaeQ16204022Y.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ifhnG16204157al.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/dbGaYsrdGrcecQaPc16204652z.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/odfwQcmbbreGzxkwwJr_vhmrGmnr16203965mY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rPvbtuhvauhJQ16203851JkY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/JmhvhrGzGQmhuzuwsowdvJeuihYtb16203953_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tvQtimomGGmnnhlbzhsvoGw16204456Pkhh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ewovzbta16203898rrci.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/km_a_Pdrtdx16204524_d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wbvkavbuJehGPxmYufvtwet16204168nac.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Qln_s16204653PJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/erlkeJlYsctYhkkmw16204623Jb.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/YmxtnucGGQl16203841la.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uvafGrzoQJob16204521uYam.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tkuGczfsYotu16204752o.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/o_th16203833w.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wtxoazxred_kPbchvoak16204014d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/oei_kskahodehb16204540m.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ddJ16204665to.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rfrGoYPvYPQ_fsczhGxJhobf_kei16204686c.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ebivoeQe_sxx_oPlGhv16204350nd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wicuzhtrvuGQGrf_PerztleJoeYxo16204207G.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005f61.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5F61 19856 bytes
SHA-256: a930245e90be17a336a7679d31e9d416ddec66c65020bec75b59b2e2bfc19120
font_01_sfnt_off000094f3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x94F3 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off0000caac.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xCAAC 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1