Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7b8004bd26e2a9f…

MALICIOUS

PDF

263.5 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 534f04bfa34ffaa8aade10a101e3ac6b SHA-1: 0dfe5ee1d06151f51be51873e93830ba5ab10fbc SHA-256: d7b8004bd26e2a9ff19656e53e3ea4284aaa8c5ce5210a556e210ed186a9c56a
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains a large number of repeated phone numbers, triggering heuristics for travel-support phone scams and callback phishing lures. The document body is heavily obfuscated and does not contain readable text, but the heuristic firings strongly indicate a social engineering attempt to trick the user into calling a fraudulent support line.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_015_off0001ecee.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1ECEE 18240 bytes
SHA-256: 40e421321e795e26ef42df8f532d3ea5ea8f2c595c2f46e8bbf04c2cd9121b4a
stream_020_off00021274.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x21274 150432 bytes
SHA-256: d0e870b8977de6bd6268e7b900f8a405da97d2b71173ca3b00d908d52c5454e0
font_01_sfnt_off00035495.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x35495 13508 bytes
SHA-256: bd9e83287b0d68b69d51ade3b1a6d88c9d79616100fdc6bf8b94f35bdafefa18
font_02_sfnt_off000376fb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x376FB 221672 bytes
SHA-256: a7cd16084d175f6b911e09f4aec11053f701f3a8bdf5414f2c39a9ceafde9675
font_03_sfnt_off00038bc3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38BC3 55948 bytes
SHA-256: 3c6051093235d69c49bba294c3800b69fb67854306ce9e7943d0d6d3649bd30d
font_04_sfnt_off0003cc7b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3CC7B 47820 bytes
SHA-256: c37ff9f7ac38071c5562ac4531b40d9dd44e418c77721c770c79c0dc31a9a670
font_05_sfnt_off000405e5.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x405E5 6096 bytes
SHA-256: 03c02e05377f87b7ffcfeecda6ee9d693b22f57d196f7e92f5eec09b0c4d8096