Malicious PDF — malware analysis report

Static analysis result for SHA-256 4be4c2d08db2b944…

MALICIOUS

PDF

242.1 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-19
MD5: 3a3656c30da08982741c8af70d44f06f SHA-1: a5ac8527102b50b9acf144f110d4dd9165a4b01f SHA-256: 4be4c2d08db2b9444a8343af6df2cbdeeb3416da77b17364905581fac721341f
80 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
🗂 Part of campaign: volaris.com 813 samples

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_012_off0002b2dc.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B2DC 151768 bytes
SHA-256: f4dd8cd091dd6a94d21a6dd777f5beeea2d45d8879c5f976d49069c0f6816bdc
font_00_sfnt_off0002a3c2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A3C2 217464 bytes
SHA-256: b6e617a5a56614b039ce9242aa114e09abd15053c0bd1116a3d51fb8161d4a24