Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ffdd171917c7e9d…

MALICIOUS

PDF

172.3 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-19
MD5: 3c6cd52c5eb1b67514a670182dec14ee SHA-1: 699b19e1b1117c8f913a9cd9b0e04944b60e04d1 SHA-256: 2ffdd171917c7e9da3b59b83c2c7e7a8789a5a1cf0f990287a801a55348d0552
80 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
🗂 Part of campaign: volaris.com 813 samples

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001e034.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E034 148472 bytes
SHA-256: dda1d45001f13374fdd0a83bb255ce773da09db1919fde2169940c6976e38ff8
font_01_sfnt_off000266c1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x266C1 182156 bytes
SHA-256: b802a535aae92ef7a1c145789ae72d65fd9f1e1633674fd39ad996d2c862a831