PDF static analysis report

Static analysis result for SHA-256 a560ee140e9bb06d…

SUSPICIOUS

PDF

69.3 KB Created: 2018-06-11 08:26:16 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-09-24
MD5: 29b0a126c57529c3cf088666d7e86a49 SHA-1: c1e35479fdf3ffabbcf8791b2cb40234bd1f13d8 SHA-256: a560ee140e9bb06d9d483fe3189e84bf755e20f4a5b86689dbd251451647b2ec
40 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3283

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=wiring-diagram-baleno-1997.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=wiring-diagram-baleno-1997.pdfIn PDF document text
    • http://apfela.de/wiring/diagram/wiring_diagram_suzuki_baleno_1997.pdfIn PDF document text
    • http://iran-chap.net/file/pdf/wiring-diagram-baleno-1997.pdfIn PDF document text
    • http://symbak.de/wiring/diagram/wiring_diagram_suzuki_baleno_1997.pdfIn PDF document text
    • http://habahe.de/wiring/diagram/wiring_diagram_suzuki_baleno_1997.pdfIn PDF document text
    • http://ewekoe.de/wiring/diagram/wiring_diagram_suzuki_baleno_1997.pdfIn PDF document text
    • http://www.houseplangirl.com/reads-online/wiring-diagram-baleno-1997.pdfIn PDF document text
    • http://elcite.de/wiring/diagram/wiring_diagram_suzuki_baleno_1997.pdfIn PDF document text
    • http://coxrat.de/wiring/diagram/wiring_diagram_baleno_1997.pdfIn PDF document text
    • http://drlogo.de/circuit/and/circuit_and_wiring_diagram_baleno_97.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-daily-express-crusader-crosswords-3-daily-express-puzzle-books.pdfIn PDF document text
    • http://uncpbisdegree.com/1/service-manual-canon-ir3170ci.pdfIn PDF document text
    • http://riverside-resort.net/1/world-war-2-and-its-aftermath-test.pdfIn PDF document text
    • http://uncpbisdegree.com/1/sparsh-class-9-chapter-1.pdfIn PDF document text
    • http://uncpbisdegree.com/1/singer-201-2-service-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/user-manual-for-motorola-xt-910.pdfIn PDF document text
    • http://uncpbisdegree.com/1/spray-atomization-and-deposition.pdfIn PDF document text
    • http://uncpbisdegree.com/1/siete-el-numero-de-la-creacion.pdfIn PDF document text
    • http://uncpbisdegree.com/1/the-best-buddhist-writing-2011-melvin-mcleod.pdfIn PDF document text
    • http://riverside-resort.net/1/when-does-pay-period-begin-at-walmart.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.fixya.com/cars/t15957299-pin_out_ecu_baleno_wiring_diagramIn PDF document text
    • http://www.fixya.com/cars/suzuki/troubleshootIn PDF document text
    • http://www.fixya.com/cars/suzuki/balenoIn PDF document text
    • http://www.fixya.com/cars/p2733141-suzuki_1997_balenoIn PDF document text
    • http://suzukibaleno.narod.ru/diagrams.htmlIn PDF document text
    • http://www.fixya.com/cars/t12839664-ignition_system_wiring_diagram_suzukiIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617350In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c355.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC355 13968 bytes
SHA-256: a84c6c64ee391736e42a1ac0f03251d8d098f28e55756beda5ce435120f1f952
font_01_sfnt_off0000ee01.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xEE01 8792 bytes
SHA-256: 7d9c4776125f7883ed06bf18f505d46ce022e5b63a0e5d6b164a8ef2d41543bb