Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdc94aab043c24c0…

MALICIOUS

PDF

253.7 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: f7f5d9efad40954a23a2feb2d5382f96 SHA-1: ac540ff087e45ee5c19d282d36804f7e712354a8 SHA-256: bdc94aab043c24c05aa773e416fc32dc2270a64c7adf29f3ddeae0bff61a7e21
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample triggered heuristics for a travel support phone scam and a general callback lure, indicating a social engineering attempt. The document body was heavily obfuscated and truncated, preventing a deeper analysis of its specific content or potential embedded scripts. No other IOCs were extracted.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001bbe9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BBE9 149796 bytes
SHA-256: 71aabf16044f11fa268206d262a948f473737c1fdf4e1b45c6c740e9671502c8
stream_026_off0002d25d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2D25D 18240 bytes
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def
stream_030_off0002f1d9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F1D9 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off000171cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x171CD 36324 bytes
SHA-256: aadb4f4d3a6b55b2ce26ca2337b74b799ca9f723c190f42d90aee5c1625762fe
font_02_sfnt_off00024784.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24784 16652 bytes
SHA-256: 8c3d9d3ea1ef5220ccc19b4bc8eb9d454d82651ca607fd1249168d5f6c2f9c3d
font_03_sfnt_off00032430.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32430 217340 bytes
SHA-256: 94e96ca5dcf0707727b48752fdd01a4cb343919f3b48cba95a6cbc0d6d0c748e
font_04_sfnt_off00038909.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38909 50208 bytes
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6
font_05_sfnt_off00039871.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x39871 50400 bytes
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8