PDF static analysis report

Static analysis result for SHA-256 26bb618e1fdb5a49…

SUSPICIOUS

PDF

215.6 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-29
MD5: aae713a88d36f5b94c55b439a3b234ef SHA-1: ee76cee5cb2ad72953593f8cc6c4019c86eea525 SHA-256: 26bb618e1fdb5a4931a9e4f2cac64316d1d9f6d7dff82fd705215f1c74d3973f
40 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0002

Heuristics 5

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.qatarairways.com/manage-booking PDF link annotation
    • https://www.qatarairways.com/helpIn PDF document text
    • https://www.qatarairways.com/help���In PDF document text

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off00025ad7.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x25AD7 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off0001a344.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A344 43712 bytes
SHA-256: 791b0c450eb4a8f1b610c189e1d868a07020d43504c092978c2206f380c61e80
font_01_sfnt_off0001fbfb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FBFB 22064 bytes
SHA-256: c9e5e90f05bf053a523d4b443bc912bb574a28270ed10165d76f477a4aa74b72
font_02_sfnt_off00026edf.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26EDF 14840 bytes
SHA-256: 44b60cd8a8a629abddc193dff024136306c3bcd07944eeaeec0c858729228bb1
font_03_sfnt_off00029469.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29469 15416 bytes
SHA-256: ef166f8d80a49afd2b4a65ef1521dcba6a1f1c82d2d39a1c0fc5fab70d771e89
font_04_sfnt_off0002caa6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2CAA6 29092 bytes
SHA-256: 287069d30a877ca9e109235a45f7627566091787a5a3a5aa3333bbb4f6887113
font_05_sfnt_off0002d3ed.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D3ED 28404 bytes
SHA-256: 02a8e091f2d690e306f21b3b5b691301ea8d1f6090dacb10baa762b2b15651f8
font_06_sfnt_off00032062.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32062 16828 bytes
SHA-256: d7a4c0a0ed077103373388c2e2b000b923b5d3ad342f6d9461ea5165007cb309