PDF static analysis report

Static analysis result for SHA-256 e22df2dcd561bb00…

SUSPICIOUS

PDF

58.9 KB Created: 2018-06-11 09:48:54 -04:00 Authoring application: wkhtmltopdf 0.12.4 (via Qt 4.8.7) First seen: 2020-08-25
MD5: ffccc8ef4bb653100f5e6163b4bad0ba SHA-1: 476655384660dda3ef91d4cfc7902c8b7d05c157 SHA-256: e22df2dcd561bb007071d7802ea61e59dc69053ac5025c83eb7032b4c2d0d302
40 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0469

Heuristics 3

  • PDF carries a PHP-gateway SEO-spam PDF link farm medium PDF_SEO_PHP_GATEWAY_LINK_FARM
    PDF contains four or more clickable links whose target is a `.php` gateway with a multi-word search-PHRASE document slug embedded after it (e.g. 'index.php?.../binary+options+trading+nz.pdf' or 'pdf.php/cialis-dosage-side-effects.pdf'). Legitimate PHP-served documents use a filename or numeric id, not a search-query phrase, so this is the generated SEO link-farm shape — pharma / binary-options / 'free download' spam that ranks for queries and routes users into payload/redirect chains. The PDF itself carries no exploit — the risk is the linked destinations.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uncpbisdegree.com/download3.php?q=the-cell-cycle-pogil-answer-key-extension-questions.pdf In PDF document text
    • http://uncpbisdegree.com/download4.php?q=the-cell-cycle-pogil-answer-key-extension-questions.pdfIn PDF document text
    • http://shutupbill.com/pdfs/cell-cycle-pogil-extension-questions-answer-key.pdfIn PDF document text
    • http://announcerexpressonline.com/online/cell-cycle-answer-key-pogil-extension-questions.pdfIn PDF document text
    • http://www.bookfeeder.com/pogil-cell-cycle-extension-question-answer-key.htmlIn PDF document text
    • http://grappi.de/the/cell/the_cell_cycle_pogil_answer_key_extension_questions.pdfIn PDF document text
    • http://peterh.de/cell/cycle/cell_cycle_pogil_extension_questions_answer_key.pdfIn PDF document text
    • http://dramma.de/cell/cycle/cell_cycle_answer_key_pogil_extension_questions.pdfIn PDF document text
    • http://castlevillez.com/pdf-reader/cell-cycle-pogil-extension-questions-answer-key.pdfIn PDF document text
    • https://hjagroup.co.uk/books/32474d/cell_cycle_pogil_extension_questions_answer_key.pdfIn PDF document text
    • http://riverside-resort.net/1/the-saint-a-gaunts-ghosts-omnibus-gaunts-ghosts-novels.pdfIn PDF document text
    • http://riverside-resort.net/1/shifting-gears-on-a-motorcycle-without-clutch.pdfIn PDF document text
    • http://riverside-resort.net/1/the-more-i-see-a-western-romance-texas-hearts-book-3.pdfIn PDF document text
    • http://riverside-resort.net/1/the-real-mother-goose-dover-read-and-listen.pdfIn PDF document text
    • http://riverside-resort.net/1/the-avr-microcontroller-embedded-systems-solutions-manual.pdfIn PDF document text
    • http://riverside-resort.net/1/the-cat-who-saw-red.pdfIn PDF document text
    • http://riverside-resort.net/1/stocks-for-the-long-run-jeremy-j-siegel.pdfIn PDF document text
    • http://riverside-resort.net/1/the-function-of-the-orgasm-discovery-of-the-orgone-vol-1.pdfIn PDF document text
    • http://riverside-resort.net/1/stars-technical-manual-20.pdfIn PDF document text
    • http://riverside-resort.net/1/singapore-math-practice-level-6a-grade-7.pdfIn PDF document text
    • https://hjagroup.co.uk/books/32474d/cell_cycle_pogil_extensionIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • https://s3.amazonaws.com/nu17/cellIn PDF document text
    • https://www.youtube.com/watch?v=0iC4bxFxN2sIn PDF document text
    • http://www.upsd.wednet.edu/cms/lib07/WA01000687/Centricity/Domain/898/TheIn PDF document text
    • https://view.officeapps.live.com/op/view.aspx?src=http%3A%2F%2Fwww.upsd.wednet.edu%2Fcms%2Flib07%2FWA01000687%2FCentricity%2FDomain%2F898%2FThe%2520Cell%2520Cycle%2520Answers.pptxIn PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617350In PDF document text
    • http://go.microsoft.com/fwlink/?LinkId=521839&CLCID=0409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=246338&CLCID=0409In PDF document text
    • https://go.microsoft.com/fwlink/?linkid=868922In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=286759&CLCID=409In PDF document text
    • http://go.microsoft.com/fwlink/?LinkID=617297In PDF document text
    • https://www.bing.com/aclk/?ld=d3OfC1KZrnHLLJkhbvJJ-AyTVUCUwpbN1omoYP0GbvuTYie2VBDzX_-qmkr3pfHObHdRp_TcnHKt2vF-1WdK09C_kGBw0mSfR6Z3EeKXPgjj5cIb7MHjxG-Oql-sQOYPtXnxXVpc7hB18D527-uDg_kONPKhfnKPyUoXrdazhdNg86GSE2&u=http%3a%2f%2fclickserve.dartsearch.net%2flink%2fclick%3flid%3d43700009085592785%26ds_s_kwgid%3d58700000917848828%26%26ds_e_adid%3d9426198590%26%26ds_url_v%3d2%26ds_dest_url%3dhttp%3a%2f%2fwww.cellsignal.com%2fcommon%2fcontent%2fcontent.jsp%3fid%3dscience-pathways-cell-cycle%26utm_source%3dbing%26utm_medium%3dcpc%26utm_term%3dcell%2bcycle%2bpathway%26utm_content%3dCell%2bCycle%2b-%2bGeneric%26utm_campaign%3dEN%2b-%2bPathways%26msclkid%3d%7bmsclkid%7d%26utm_source%3dbing%26utm_medium%3dcpc%26utm_campaign%3dEN%2520-%2520Pathways%26utm_term%3dcell%2520cycle%26utm_content%3dCell%2520Cycle%2520-%2520GenericIn PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000963b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x963B 14464 bytes
SHA-256: b9015b902010279bc3a573f2588efc34448d944897e0b278f801ac084a87014a
font_01_sfnt_off0000c289.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xC289 9764 bytes
SHA-256: 33cd52e9d0347d83e9698f20d77d4212e665a0156467e8ec55cc5a2e5750b7da