PDF static analysis report

Static analysis result for SHA-256 836c18f7e1117e1b…

SUSPICIOUS

PDF

63.8 KB Created: 2016-12-27 04:21:53 +08:00 First seen: 2018-10-07
MD5: 17e759f9b10020be91531554a17b7bbe SHA-1: f6ee32dda942d0295b9026d488db18e63e31dfa0 SHA-256: 836c18f7e1117e1b7086f18344ea3989d74aa095c5406ca8bb510f4403d89b12
34 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0355

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tfcwwfJtiaa16204125bdu.pdf PDF link annotation
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/nhei16251828uid.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/crYbmvQdzJkskhnnnkaJtzzbrsvis16204488nt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/YvuirdJrf_Grluvw16204703vkaw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/dvofidewrtnmk_nlaxocP16204664omhs.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uoxbGuhtYsGG16251758fcwQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/G_bi16203975d_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/aJhv16203870h_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fmclf_tu16251962lmG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/oei_kskahodehb16204540m.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/banuazJhokwPbc16236550mh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/zu_zrztGi_enwPxrrklYY16203814leQr.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wazPb_ddPhlfavuebcofdbG16251813uJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/zfJtevPl16236595lb.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/nsehwu16236614Qt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/e_taoYczwxnmikoxzfdYc16204012k.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/iwesrcxoacwQzfszmxf16251836os.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fGbtdatdYniviYfvPtiszPss16203998hG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/btPsbwwefaJx16204513xs.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_mcrnet16203958Prz.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Q_xawkzhlohkfJQkxm_hhbYwa16204515d_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Q_kczwmYPlfhG_fJethboir16203820_eoc.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GuGlYYa16203840Y_z.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tbJvnGaPfYekGuJiu16203813nhff.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ohJxiPGPQYsGfiPncdGibGG16203806hGo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kuhtQut16203948ctG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/PQkYzvfwPcsJkkQlxzd16204151ibPn.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ecutPwG_PJoP_YPcbs16236526a.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rPiY_xdrzGmmdrevbz16204502hsv.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kanc_helmuo_lboaJleczkdnJdnffc16236632h_ub.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/PzzJaho16203981f_sk.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/iJJGfGmllaePGoQYGddchJkQs16236599hGJP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_hmushrlttrQl16204085df.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ozxiiadPauhsdwk_GJYvklolki16251971rezb.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005bdd.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5BDD 19780 bytes
SHA-256: 4fa1e1f62893db1504b694ba157ca733dbc9a64fe6775bec7c5c9e8d41f3a745
font_01_sfnt_off00009131.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x9131 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off0000c6ea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC6EA 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1