PDF static analysis report

Static analysis result for SHA-256 9fc2d0a0842eb1eb…

SUSPICIOUS

PDF

112.2 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-27
MD5: 6a25ee730f5aace90500ad2d710f6d84 SHA-1: 1386436a26af709221538290bb4293ace5090c24 SHA-256: 9fc2d0a0842eb1eb0e07187471003139808f5e43072b5b884dff4fbf0bb6a9d7
28 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00012658.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x12658 39332 bytes
SHA-256: aba1c3c8db2865430d7e73ba680097c74d16fd2fe5c4d88e01ca3e778a08f3ad
font_01_sfnt_off00018e68.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x18E68 12104 bytes
SHA-256: 883364879ae20622a8b3200a2459700638e5f0c62bda57e83de43d2f0488aba1
font_02_sfnt_off0001ab4e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1AB4E 182536 bytes
SHA-256: 330cbeb54f9ef5f334bf9aa3eb3f09afab61ff7ccf19d75a0900c31fdcf9752c