PDF static analysis report

Static analysis result for SHA-256 95128c6e800d4362…

SUSPICIOUS

PDF

193.8 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-29
MD5: 4595e51dd1ab20f3e795397a6ec8ccc6 SHA-1: 1c5f2397c6f528821f598ec3fdcf76db516e2528 SHA-256: 95128c6e800d43622588e9dc1b923483a67f7cc5a09cd2ef22c74ab50d3cea3d
40 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0003

Heuristics 5

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.qatarairways.com/help PDF link annotation
    • https://www.qatarairways.com/manage-bookingIn PDF document text
    • https://www.qatarairways.com/help���In PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_020_off00024c1b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x24C1B 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off00019746.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19746 42628 bytes
SHA-256: 62d58f157642a6d399fd5b2f9f36d1377b44bb9c9ee1ecd4061822108d7ff3e8
font_01_sfnt_off0001ed3f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1ED3F 22064 bytes
SHA-256: c9e5e90f05bf053a523d4b443bc912bb574a28270ed10165d76f477a4aa74b72
font_02_sfnt_off00027523.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27523 29092 bytes
SHA-256: 287069d30a877ca9e109235a45f7627566091787a5a3a5aa3333bbb4f6887113
font_03_sfnt_off00027e68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27E68 16828 bytes
SHA-256: d7a4c0a0ed077103373388c2e2b000b923b5d3ad342f6d9461ea5165007cb309
font_04_sfnt_off0002a96a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2A96A 18004 bytes
SHA-256: f2532e9c50371f9cf6b00c8fb4ecb833a3714c2a70af5c981c46d8649ba9913d
font_05_sfnt_off0002d369.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D369 15416 bytes
SHA-256: ef166f8d80a49afd2b4a65ef1521dcba6a1f1c82d2d39a1c0fc5fab70d771e89