Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5ac234194f262e5…

MALICIOUS

PDF

242.6 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 4353cae45e0e27ef4248d953e44a53d8 SHA-1: d2856f3dbaec9f53e498fd9512d90dc8f17c75cc SHA-256: d5ac234194f262e5ca0b0690a987d4ad15284b16c7fa77f51dbdce5fd282df0e
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains a large number of phone numbers, consistent with a travel-support phone scam. The heuristic firings indicate a high repetition of phone numbers, suggesting a deliberate attempt to overwhelm or confuse the user into calling for assistance. No scripts were extracted, and the document body was unreadable, limiting further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_015_off0001cf5c.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CF5C 150760 bytes
SHA-256: 43c4a0b3d3b6acceb9c9588694c845e46bb835a1126afe7afd27c996e19a5021
stream_029_off0002c9f6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2C9F6 18240 bytes
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def
stream_033_off0002e972.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E972 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_01_sfnt_off00025ec1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x25EC1 217436 bytes
SHA-256: 8dba6827345e96d899a1179c03b165566b9518748dfab367bca3597efc4c7220
font_02_sfnt_off0003717f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3717F 50208 bytes
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6
font_03_sfnt_off000380e7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x380E7 50400 bytes
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8