PDF static analysis report

Static analysis result for SHA-256 8e029721c04333e2…

SUSPICIOUS

PDF

70.0 KB Created: 2016-12-27 03:38:38 +08:00 First seen: 2018-10-07
MD5: fb6cb07f8528e598fed2d3537ae396fe SHA-1: 953960194af4556c80d40cb05fe31a3a358d6124 SHA-256: 8e029721c04333e2c33b3a3527dcbdcadeffea0272063b44098f06f5a38d48ca
34 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0374

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/wYakulhehJGzskaadzvlxi16216985kxi.pdf PDF link annotation
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/kulbdzQoclmkJkvfYlc16257961_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/suzPoaYtJGiona_aaJP16244729zQY.pdfIn PDF document text
    • http://www.toledano.fr/images/Ps_wmJewQwinbJwrktbtQ15872262l.pdfIn PDF document text
    • http://trinketsltd.com/linda/hbGJtYvGimYhrskdioGYztxesk12773682fle.pdfIn PDF document text
    • http://www.toledano.fr/logs/buesGdQinYnsQh15872094nfh.pdfIn PDF document text
    • http://kookhoekvandinie.com/towncause/doazQmGYiom15879690a.pdfIn PDF document text
    • http://www.toledano.fr/logs/srmafJxs_rsaQhc15902142ufw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/v_YiasdzwowhoQvQakPsQkzh_vx16244691tPmz.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/dskbhlxrrflbrmiuuflG_aGPG16244685wnzx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/xvQrxnQoQxmcG_xQeikJl_w_zmQc16217137iaG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/kYYr_iaelurQttowzYunGsQk_zcif16216624ufQt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/YmuYGvlovlwob16217023ns.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/fcQhtvobncbnuwk_YdrdJ__JGcdYkl16216924zrG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/ndmhzzJsrGYxenJhl_esYzu16217151b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/iY_zcarizrsrieiPu16244720cmYc.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/lrQbJazQfhe_kb16217060hoYQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/boJivknxvsdYvtz_16216401b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/wrGbiixaGYhaitzv_aurmQonft16216484ndP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/udboekmt16216864f.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/askt_16244659Pre.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/soizdrkfkQcPdcYaYvekteckltvki16216710m.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/k_Yd_idxncoiG_nn16257882u.pdfIn PDF document text
    • http://kookhoekvandinie.com/traineither/hJJuxPhlrscl16257114edor.pdfIn PDF document text
    • http://kookhoekvandinie.com/traineither/uYutGboreoetiPhxvfkshwJkG16242212k.pdfIn PDF document text
    • http://kookhoekvandinie.com/traineither/xobfPhibcGhhaoxtnwuovn16163212c.pdfIn PDF document text
    • http://www.asconbs.dk/logs/YtYoGftJJku_xwfknvftYa_PflPucQ16208374osx.pdfIn PDF document text
    • http://www.asconbs.dk/logs/csrbPawxfxllfsfuar_brGiYvmfQe16208388vkw.pdfIn PDF document text
    • http://www.asconbs.dk/logs/raxkdoxxmolnxz16239075tGdl.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/G_QwtbP_nPcJalmhszseblx16210994fPxl.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/JxrkPswJsd_aowalPbuuJG16256506dx.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/_uioGosrmQfcQti16177874P.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/eQdouGheddltxfeYzucsQ_r16210981JJ_.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/vkYaQwJzJYurPinzeuxkxcb16177744a.pdfIn PDF document text
    • http://permatatour.co.id/differentsure/zaQQkdx16184256fYaG.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/PzYr_vo16166328dx.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/_GQPd16251072Jbd.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/fJaih_uwlQQatlklh16251033tmb.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/ihxb16250847_ki.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/ohxox_la16251017tGJP.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/uvekYzvsQkYePsJbQ16250924i.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/wrPdGJxblmzndrPltrmwenu16250951vrtn.pdfIn PDF document text
    • http://www.permatatour.co.id/officesure/xfwiw_v16166304hzd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/departmentabove/departmentcarry.php/site_map.xmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00007396.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7396 19984 bytes
SHA-256: 7c9b833562f8a340856ba477450e53eb3a384ca9e0dc32cd01be4740f4b5e909
font_01_sfnt_off0000a984.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xA984 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off0000df3d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xDF3D 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1