Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbcb223bd28f5982…

MALICIOUS

PDF

260.6 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 4b68d500d603cee2592252f13b2b94a3 SHA-1: 910c92e52f4212d993e2524e4f4987e8ffb1ed4a SHA-256: dbcb223bd28f5982cfb952ee182212da1afd0510430ead73f97a689bdc1aee0d
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains a high number of phone numbers and exhibits characteristics of a callback phishing or tech-support scam. The heuristic firings indicate a deliberate attempt to stuff the document with phone numbers, consistent with a scam designed to trick users into calling for 'support'. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing further analysis of specific lures.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off00012007.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12007 147552 bytes
SHA-256: b61a26e3ad74d510f9e9c7aede5d9bfd364b9679c6e69eabcd53570842be1742
stream_043_off00030264.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x30264 18240 bytes
SHA-256: 40e421321e795e26ef42df8f532d3ea5ea8f2c595c2f46e8bbf04c2cd9121b4a
stream_051_off00034845.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x34845 18240 bytes
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95
font_00_sfnt_off0000f3c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xF3C9 193036 bytes
SHA-256: b76b6ea57857f2cba84c2b66f3b3afc10e6472242b5fc33bfe84aef98eff106c
font_01_sfnt_off000103b3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x103B3 16996 bytes
SHA-256: 5045df6c32a4e6dd65c742d7ff863ed6b6230ec3bc334de5fa779a19e026748f
font_03_sfnt_off00027bc7.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x27BC7 59268 bytes
SHA-256: 11696c172cbfe441016bb872104960a0cbda51bd4892b7cbcb97206570c3dd39
font_04_sfnt_off0003afea.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3AFEA 217696 bytes
SHA-256: 7fd842eb87626442aaf79c15364f655c07590f1e00b52f5d808257392658312f
font_05_sfnt_off0003c05e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3C05E 13792 bytes
SHA-256: a057924d03d1b49c03817e5d18c7eb6f786732407869540be0e8b5e2969a5307