Malicious PDF — malware analysis report

Static analysis result for SHA-256 db33212df3e20c15…

MALICIOUS

PDF

355.5 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 1fb780c5329c5ca9bc9304e46be53218 SHA-1: d2623a651b4188dd777d8090596d092fc1020204 SHA-256: db33212df3e20c15134f2fc784f66735a23b7cae3b1ecca89914f56b353ebd0d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document exhibiting heuristics for a travel support phone scam and a general callback lure. The document body contains a large amount of obfuscated text, but the heuristics strongly indicate a social engineering attempt to trick the user into calling a provided phone number. No scripts were extracted, and the PDF structure itself does not reveal further malicious intent beyond the heuristic firings.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001bb51.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BB51 151304 bytes
SHA-256: 4f40c7782d56c2cbdb4f9238e39586886fbc8bf1597eab26541901c85034e6b0
stream_047_off0003e7d5.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3E7D5 18240 bytes
SHA-256: 40e421321e795e26ef42df8f532d3ea5ea8f2c595c2f46e8bbf04c2cd9121b4a
stream_055_off00042db6.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x42DB6 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off0001a714.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1A714 221276 bytes
SHA-256: 01a01b542b1e8ae81e180080da0c94ab10a5d3050fe6bed23c16a66f3204eb74
font_02_sfnt_off000283cd.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x283CD 10772 bytes
SHA-256: a38386d235cb8fde479c073bbabeeb44e7f5c480001fd3def913e27b42b7ec0a
font_03_sfnt_off00029f88.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x29F88 68652 bytes
SHA-256: 6cb708f066e196f7b47ad4b9554c6bd6bd031077b7faa40a779c0d5421d998db
font_04_sfnt_off0004a8d1.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4A8D1 13508 bytes
SHA-256: bd9e83287b0d68b69d51ade3b1a6d88c9d79616100fdc6bf8b94f35bdafefa18
font_05_sfnt_off00051603.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x51603 6408 bytes
SHA-256: 1446f1bb56b1c5ce77dee95a9d422f007651ec1ec74ad85da5247f6589536d01
font_06_sfnt_off0005527d.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5527D 13792 bytes
SHA-256: a057924d03d1b49c03817e5d18c7eb6f786732407869540be0e8b5e2969a5307
font_07_sfnt_off00055994.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x55994 47796 bytes
SHA-256: e63a51dfd52b6a8c3166c59ef4814eb245c5181b09637107ec97ab4eb48e1cf5