PDF static analysis report

Static analysis result for SHA-256 cb633a580e11a6e7…

SUSPICIOUS

PDF

87.5 KB Created: 2016-12-26 17:26:45 +08:00 First seen: 2018-10-07
MD5: 8fd07e4d91284160d4a7a6a173997c55 SHA-1: 19d6db21bdb54fad4b6668eb070109be45b426ae SHA-256: cb633a580e11a6e7ff8625f0321e996ef3c08c4091b4682c1fb74d9fd0e10b9f
34 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0313

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dubaipropertyrentals.net/perhapsactual/momentfield.php/thQnvx16203978lP.pdf PDF link annotation
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Gollh16204097toQz.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/itQxlltobJrmcndwiwQue16204662Ylm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kkmbGke_zlmxecctcYbmn16204107om.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tsGsrdsmYvGYxc16203895dQQc.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GsuPmeewd_osQ_h16204679v.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xuzzondhYihxibrmdsavhwQfwfmdkx16204474wGJn.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ihfxnu_rdxrfktknttYnd16204078JJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/mr_sflochvJe16204217tvm.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sYtvGJbfc_lnwr16203823d.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/k_QadztkkQz_hdls16204496mmti.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/kGzdfftYb_16204548na.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/iobanuoGll16204170J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GhJtYnsrknmvfdQzicvrcztaoua16204090Ys.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/JGnlzYdJxs16204006de.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/dGiwobzJfQwGf_YQQef16204706Gbh.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/taJxvscoxrlazchueriGslkmblGll16204064xsJk.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Ymabmmeetxefkdx_lb_16204492ir.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/QwxnksrdYliluxsQibkcYamG16204144z.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lv__vwJvtemzlPnsmrokPnfctm16204096bkJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/Y_otQlrGvno_uede_boa_YalJoaeJb16204564trJx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fYsodzJmuhnvlvQiQPtfbhi16203911lJ.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/_doQsawu16204702lvx.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/sfxtbJsckaa_l16203912os.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GwdzQcmeexzfPJseuhtfz16204181_ho.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/wucne16204766P.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/a_vdefaakuwYGdYQxixefven_QQi16203996P.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/hPYfmfkYQotdxJszmQiaGbPPQtkz16204208J.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bQunuvcxGPenPdkJsehYs_Q16204147ol.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/YxvlPdnlGrhfJ___QaGdmri16204274lhcv.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/ikdr16204198Yo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/barmwufoamcGmvcsusawG16203940cwzv.pdfIn PDF document text
    • http://www.citrusheightsplumbing.net/images/PrkGz_15630692css.pdfIn PDF document text
    • http://toledano.fr/images/GzYJtu15972135Jt.pdfIn PDF document text
    • http://kookhoekvandinie.com/towncause/fnQGkuh15879917t.pdfIn PDF document text
    • http://www.thedvdduplicationcompany.com/boardable/ld_biccb15514199h.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lQGfkbltlhGrQbimJrsQrfe16204137vuxr.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/fimQxlYJiP_iikrzkfinuldrhw16204493JxhY.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/GYthuok16204060Gn.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/tvQl16204169vf.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/blePeonGhbkcsmGosfkonGstt16204058m.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/eoenweckniwossGr16203793b.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/btPsbwwefaJx16204513xs.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/xzoPxnPtcvJvfsPJodPmw16204009oiG.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uwicnktxG_zzQxrtoJnrcmlQ16204602zo.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/shcsmasJ_aP_ditkkntwixdvcdhst16204459w.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uvafGrzoQJob16204521uYam.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/lmuebesml_YYssJQbYmk_aQntGwQb16203860_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/bzncurs16204549irv_.pdfIn PDF document text
    • http://dubaipropertyrentals.net/perhapsactual/momentfield.php/uifJdoxbwifJclltmzhlGsdfzoPG16204373ll.pdfIn PDF document text
    +24 more URL(s)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000b67e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB67E 20048 bytes
SHA-256: fdc70db8dd36086f0764aad8a3704ef2c32ea1f136ae29de92bc888025951805
font_01_sfnt_off0000eca6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xECA6 19964 bytes
SHA-256: 5154a7c8cf7a9b55c2f939ad6a4a8f8327cd6552b9f68a87c49d10dfc747eaa8
font_02_sfnt_off00012269.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12269 20828 bytes
SHA-256: 66ee5a421be874c2bf64758e212dcdc74f7e5fbd5b562db26553446e87a084f1