PDF static analysis report

Static analysis result for SHA-256 c09907f1c827797b…

SUSPICIOUS

PDF

85.0 KB Created: 2016-12-26 17:22:17 +08:00 First seen: 2018-10-07
MD5: d9e36b5644a47b8412e4086fe7bbf17f SHA-1: e4b7fcc5e66b8a6439ab53da972272035dc6c40c SHA-256: c09907f1c827797b8e1eafe8ce58ff63532691eb190a21715485c853df0adc74
34 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0405

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Qewxuoksiewkmomz16204722in.pdf PDF link annotation
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xdaxuleutQJsa__ba16204100aasm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/zkJkskPwi_diwzadtxshu16204590c.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fxrevibhadndeQfGb_d_Plxed16204614hGt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/zzbsvfuPYclvsQwmbeehnrb16204143eGx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GPohmYJvPbwovJ16203796a.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fGnwswk_ah16204520b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/slhsdlmrstashtQ16204719hGn.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fwJQaePfv_hcw_tde16204122x.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ocwumfG_Jtoald16204031xub.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/PQuYJYhssodn16203929iYii.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lGveYmomreaclchs16203853Gt.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/nzPzchmxithwYe16204605_Qax.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wnQaPwrmenJlovkvfwkweik16203847Gvs_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GJlo16204726f.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xJanibefooltiwis_keJirzPfed16203905mGQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fmtoowwYtao16204650bwoe.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/dbmootGPPowrzctfQlh_bulwYm_16203791oYed.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/vPbi16203982Pke.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rzxJbtr_hbt_GlsxnwJtxcQ16204419J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/oGlPdsd16204767Ptr.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/usv16204430GtYd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sPsGdcewJJlYkonwsalntsxwQPi16203947_bGf.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/f_xvJ_rmPoovonkimfbfxPtd16204467vesc.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/slvwkkzlmherwJYdQdk_sGQY16204092tw.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/whJGt_afPQdahQsmJhonP16204658dxcu.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/PGlvnQclxvxcJfG_xesvveGmr16204740r.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kPcdJadiYnGQxeks16204600_k.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_edzah_calumcn16204139Glvo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/oiYGJaQYfs16204103Pv.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/iJtiszJPJaPzwtwbvfxvQl16204019odw.pdfIn PDF document text
    • http://www.kryonbrasil.com.br/typemoment/_mewmkbsza15464586Prd.pdfIn PDF document text
    • http://new.k-trhy.cz/PQmJ5223553PYY.pdfIn PDF document text
    • http://www.partyservicedaro.nl/viewsure/tozJr15747040bcsY.pdfIn PDF document text
    • http://parvazbronze.ir/iaJebkumzQbobQ_JovG4395464.pdfIn PDF document text
    • http://www.iowataxidermyassociation.com/osi/index.php/sl_srzzz6084439rJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/mJheGaebxrJomY16204029zlYi.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xonhbGrdYlsdzGszeeneulQ16204578avwh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/YkaeaciJ_mbxYQGbabnG16204129k.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/rsbuoQxiaeQklPJdPrnJ16204030dY_c.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hitJczthzcYlarmhGbtbccxhslQim16203869u.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fvsoreiohzQ_mdllhflGb16204479kxib.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lv__vwJvtemzlPnsmrokPnfctm16204096bkJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/eQzurzrao16204221Gl.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/endsYmzvbhobcJbYQenPhad16204519Px.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/iiizGdkndYdwzaYwtaaQdmxrwmn16203854ekd.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_xaJiYfuixzwmitesxtJwY16204196zmG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Q_xawkzhlohkfJQkxm_hhbYwa16204515d_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/QcYoownJfG_zzf16203834kGQ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lckii_vwGebutJvzubhxacYnQehPi16203876Qur.pdfIn PDF document text
    +24 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000ad31.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAD31 19900 bytes
SHA-256: c9a280c2516af2a074fe63591327050a06e7ce6f96f53a6282edf9205d088f9c
font_01_sfnt_off0000e2e4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xE2E4 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off000118a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x118A3 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1