Malicious PDF — malware analysis report

Static analysis result for SHA-256 b63f3d00b172f737…

MALICIOUS

PDF

238.1 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: a3a3a2d10dd7240ee96d2832d920a9d7 SHA-1: 8b5515ed4e7ed1d8430104637a674d8256d43df3 SHA-256: b63f3d00b172f7379b0c506c31a2984074cefc0504221aa149d60a10df0f5fb4
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was flagged for containing a high volume of phone numbers, consistent with a travel support or callback phishing scam. The document body is heavily obfuscated and does not provide clear textual content, but the heuristic firings strongly indicate a scamming attempt. No scripts or URLs were extracted to provide further IOCs or technical details.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_017_off0001e46a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E46A 150220 bytes
SHA-256: 8a6dd98c6dfbcf34d273e2c42e491956c6a4e09c36fa6d1d259e570bef50be12
stream_024_off00029b9b.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x29B9B 18240 bytes
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def
stream_028_off0002bb17.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BB17 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off00019e05.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19E05 217772 bytes
SHA-256: edcc98f29131e959b1b90c7080b414e4dcf42041a1949dd807ba0883d8ed9f9b
font_02_sfnt_off00034324.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34324 50208 bytes
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6
font_03_sfnt_off0003528c.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3528C 50400 bytes
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8