Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e6f6dab0f27905a…

MALICIOUS

PDF

168.9 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-23
MD5: 5ddf08ffe3759f67ccd37f672d41e70d SHA-1: 872751eae65c2dce796ea8c7804ffa918e05a163 SHA-256: 3e6f6dab0f27905af6d9ecbb64ad3673a90dff9c483342f69e8dc933ff4a48d8
80 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
🗂 Part of campaign: volaris.com 813 samples

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_007_off0001742a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1742A 150336 bytes
SHA-256: b4672cb35e435ac98ff1f44434b91ec7c955c124c432db5faf7cc3523d756169
font_01_sfnt_off00023ae0.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x23AE0 13508 bytes
SHA-256: bd9e83287b0d68b69d51ade3b1a6d88c9d79616100fdc6bf8b94f35bdafefa18
font_02_sfnt_off00028992.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x28992 216848 bytes
SHA-256: 3e43c9b3416f569016c9788be86aa37e6d2e91f227742ff143a527e01b7e7368