MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The sample is a PDF document that contains a high number of phone numbers and exhibits characteristics of a callback phishing or tech-support scam. The heuristic firings indicate a deliberate attempt to stuff the document with phone numbers, consistent with a scam designed to trick users into calling for 'support'. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing further analysis of specific lures.
Machine Learning
- Nyx PDF Classifier clean score 0.0001
Heuristics 2
-
Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAMDocument repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
-
Callback phishing phone lure medium SE_CALLBACK_LUREDocument asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
Extracted artifacts 8
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_011_off00012007.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x12007 | 147552 bytes |
SHA-256: b61a26e3ad74d510f9e9c7aede5d9bfd364b9679c6e69eabcd53570842be1742 |
|||
stream_043_off00030264.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x30264 | 18240 bytes |
SHA-256: 40e421321e795e26ef42df8f532d3ea5ea8f2c595c2f46e8bbf04c2cd9121b4a |
|||
stream_051_off00034845.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x34845 | 18240 bytes |
SHA-256: 33e060654ed1208fc726f2323a8a9e7d9de6f6c8c2aedd340c7ed605b422fc95 |
|||
font_00_sfnt_off0000f3c9.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xF3C9 | 193036 bytes |
SHA-256: b76b6ea57857f2cba84c2b66f3b3afc10e6472242b5fc33bfe84aef98eff106c |
|||
font_01_sfnt_off000103b3.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x103B3 | 16996 bytes |
SHA-256: 5045df6c32a4e6dd65c742d7ff863ed6b6230ec3bc334de5fa779a19e026748f |
|||
font_03_sfnt_off00027bc7.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x27BC7 | 59268 bytes |
SHA-256: 11696c172cbfe441016bb872104960a0cbda51bd4892b7cbcb97206570c3dd39 |
|||
font_04_sfnt_off0003afea.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3AFEA | 217696 bytes |
SHA-256: 7fd842eb87626442aaf79c15364f655c07590f1e00b52f5d808257392658312f |
|||
font_05_sfnt_off0003c05e.bin |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x3C05E | 13792 bytes |
SHA-256: a057924d03d1b49c03817e5d18c7eb6f786732407869540be0e8b5e2969a5307 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.