Malicious PDF — malware analysis report

Static analysis result for SHA-256 da7f24b9865aa98b…

MALICIOUS

PDF

232.9 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 1d172c203fbd6c2f84741599707a8f54 SHA-1: 397f82b99ae3866e3b44ff75da601dc4dd1baafc SHA-256: da7f24b9865aa98b8c9186aeeb7db4b72a48b2971e648911541514612b9972ae
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains a large number of phone numbers, consistent with a travel support or callback phishing scam. The heuristic firings indicate a phone number stuffing technique used to obscure the malicious intent. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing further analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0001af2f.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AF2F 150736 bytes
SHA-256: 245997b869b3264d18260db6014589441b0baf7dc86853909f151a597308431d
stream_022_off0002873e.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2873E 18240 bytes
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def
stream_026_off0002a6ba.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A6BA 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off00019eea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19EEA 217712 bytes
SHA-256: cf79bdaf9367f1a05485080bf2b8b5ed5d129a3b73f65d254f75a38ebf89722f
font_02_sfnt_off00032ec7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32EC7 50208 bytes
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6
font_03_sfnt_off00033e2f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33E2F 50400 bytes
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8