MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PDF document that contains a large number of phone numbers, consistent with a travel-support phone scam. The heuristic firings indicate a high repetition of phone numbers, suggesting a deliberate attempt to overwhelm or confuse the user into calling for assistance. No scripts were extracted, and the document body was unreadable, limiting further analysis of the specific lure.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 2
-
Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAMDocument repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_015_off0001cf5c.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x1CF5C | 150760 bytes |
SHA-256: 43c4a0b3d3b6acceb9c9588694c845e46bb835a1126afe7afd27c996e19a5021 |
|||
stream_029_off0002c9f6.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2C9F6 | 18240 bytes |
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def |
|||
stream_033_off0002e972.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x2E972 | 18240 bytes |
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95 |
|||
font_01_sfnt_off00025ec1.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x25EC1 | 217436 bytes |
SHA-256: 8dba6827345e96d899a1179c03b165566b9518748dfab367bca3597efc4c7220 |
|||
font_02_sfnt_off0003717f.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3717F | 50208 bytes |
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6 |
|||
font_03_sfnt_off000380e7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x380E7 | 50400 bytes |
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.