PDF static analysis report

Static analysis result for SHA-256 9dd2cf00e433804a…

SUSPICIOUS

PDF

64.1 KB Created: 2016-12-27 03:15:19 +08:00 First seen: 2018-10-07
MD5: 6909f6b731468b60d33942d9183e5d7e SHA-1: 4b3031b08f0da20d3f1a612b773844cd469fd0ca SHA-256: 9dd2cf00e433804a12bf424b7c0c165a36e7cf150771547aea19315fb6d60a41
34 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0588

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/organizefree/carrydetermine.php/llhihd_ouQGc16217345k.pdf PDF link annotation
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/xYP16217558dw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/mu_lbielmm16217452tJQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/Gtvmbtli16244873vJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/hwGwdbrdlGwmxxveYc16258695Q.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/PfwlJ_cPwnnJPxGouetxwksfPv16244938kkGd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/_mtntsdhdco16217291bu.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/zPz16217783aol.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/QcnxuQ16218058d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/tidczdJx16218078hl.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/xeocbYJbwidGQwGhrJcbbnQola16217448nsJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/c_JtkcwnsnPndwe_aswsffofx16217571n.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/srYhzslcmw_ckQQsv16217712_Y.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/xrxrPQYoGlYmvznmnukxnavuGhbPG16258637Qe.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/w_fza16244820ar.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/n_laYJxd16244856ivd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/rnmGYovY16217513oic.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/ktrtkd_xrvxfvnwdseJntzbdul_w_z16218052fm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/klwaaYseG16244950cQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/tvhibdbPQkxd_ocftscbuoQx16217549xmhh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/vh_cGkcs16217424Y.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/YtwtYnGticzlPc16217970crw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/ohvexGoecrlsvti16217327h.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/_almtssikslvaeQhewaaurrsb16258596Qos.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/QJexkorJ_dsYeQJtolGezlQhdz16217292_iio.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/fdarkdPztJ16217340ddJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/nssdY_QzPtfzfkdolhwcsY16258837kh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/ofortiedwokbfzrohax16258593aa.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/koxazlurQ_zeftJlc_Jdccwk16258883aY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/_swrmd16217460falY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/hYoirotalPrwvmuaf16258634stP.pdfIn PDF document text
    • http://dubaipropertyrentals.net/organizefree/carrydetermine.php/vPYtsii16218056caYt.pdfIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00005d2f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5D2F 19856 bytes
SHA-256: a930245e90be17a336a7679d31e9d416ddec66c65020bec75b59b2e2bfc19120
font_01_sfnt_off000092c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x92C1 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off0000c87a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC87A 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1