Malicious PDF — malware analysis report

Static analysis result for SHA-256 50ebde5a88ce69c3…

MALICIOUS

PDF

333.1 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-06-10
MD5: dfbc98b3fb351a0a6ece71c8161885a7 SHA-1: 7d39e6917101aedcab0b126a2c8686345c7e41f2 SHA-256: 50ebde5a88ce69c31be3b792184226df2deea971b0e17767d0a158e197611810
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off00035971.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x35971 51920 bytes
SHA-256: a10ef224a979f4f41fe74834ea7a408ea57231e7b2390a1e3554ff288dc15a28
font_01_sfnt_off0004932a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4932A 49480 bytes
SHA-256: ee418754ea01a7f8b9cf06dfbc29fcd6430a2df7d822082757db71e80016158a
font_02_sfnt_off00050ff3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x50FF3 183476 bytes
SHA-256: 6719ec3c87bb55f0ea34138035671faf01afebc55f9394e2b93ef4fc24291ee0