Malicious PDF — malware analysis report

Static analysis result for SHA-256 db87cac602a02a8b…

MALICIOUS

PDF

232.5 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: d3858ad2433667adfafc68000237c91a SHA-1: 1a99bb8e5f914069156aa0d6655d2ac04be18596 SHA-256: db87cac602a02a8b50928c31495828ff6cc16226102156355ebdbba5142af329
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The file is a PDF document that contains a large number of phone numbers, triggering heuristics for travel support and callback phishing scams. The document body is heavily obfuscated and does not provide clear textual content, but the heuristic firings strongly indicate a social engineering attempt to trick the user into making a phone call for fraudulent purposes.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0001af63.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AF63 150220 bytes
SHA-256: 8a6dd98c6dfbcf34d273e2c42e491956c6a4e09c36fa6d1d259e570bef50be12
stream_022_off0002857d.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2857D 18240 bytes
SHA-256: ab5f571bf0cd18a495d3ad2095b48edc8a90a4ff34d2cb5d46c82eaa51a75def
stream_026_off0002a4f9.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A4F9 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off00019f55.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x19F55 217560 bytes
SHA-256: fdaaf3f9e4e91176bf1763e3eef12f5c9f4effedff68909cccf47a813d76914a
font_02_sfnt_off00032d06.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x32D06 50208 bytes
SHA-256: 305bf8c7a76ca05575d24c7c0fa3c8ce32844576d3cdaa976f680868b869fef6
font_03_sfnt_off00033c6e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x33C6E 50400 bytes
SHA-256: 3933f0a171d2e1d52238afd1697f635a25c78debe3762eae68e9de3aebda16b8