MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of a callback phishing or tech-support scam, indicated by the high count of phone numbers and the 'SE_TRAVEL_SUPPORT_PHONE_SCAM' heuristic firing. The document body is heavily obfuscated and repetitive, likely to mask the embedded phone numbers and evade detection. No scripts were extracted from this sample.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 2
-
Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAMDocument repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
Extracted artifacts 7
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_017_off000350e1.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x350E1 | 152372 bytes |
SHA-256: d318d2a115a834dda3dcb16f59a8bb9f5cd1fc20b9978d83ec403e4ac0d41269 |
|||
stream_057_off00053fde.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x53FDE | 18240 bytes |
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95 |
|||
font_01_sfnt_off0003fc43.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3FC43 | 46476 bytes |
SHA-256: 963541a4bab1fa95767f4b1cc4d2e2cd7d20c05ddb313efaa0269ae1285d4a35 |
|||
font_02_sfnt_off0004417a.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x4417A | 220516 bytes |
SHA-256: cec36028ae522e8d02b169466447f3a01927c5e317ddacb9ca9faeed4bc9bd1c |
|||
font_03_sfnt_off00055378.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x55378 | 11904 bytes |
SHA-256: 4728ae33b4501f858c8fd696f815180d77d260b89e3708fe66eb27a0220ad52d |
|||
font_04_sfnt_off00055c19.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x55C19 | 129692 bytes |
SHA-256: f0c526424d74b23614c32984cadae458d7ed89f466a6abe79aca0f2ebc2cfb2e |
|||
font_05_sfnt_off00057749.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x57749 | 68100 bytes |
SHA-256: 9b03ddf5b10dd7db4b8bc7c6fa30ffa1127828ed7b307f173085ae5142df297f |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.