Malicious PDF — malware analysis report

Static analysis result for SHA-256 def5b1035f0b7abc…

MALICIOUS

PDF

231.5 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 3908e0b3e8b93c52accb346405b767e0 SHA-1: a897a92929cba9c9e7b73e779815bd8ae08ebcf7 SHA-256: def5b1035f0b7abcc35dab06d5a65d755c588e82933535f9e2af97b32e4f034f
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document that contains a high number of phone numbers, consistent with a travel support phone scam. The document body is heavily obfuscated, but the heuristic firings strongly indicate a callback phishing or tech-support scam pattern. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off0001d0ea.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D0EA 151220 bytes
SHA-256: 254fc6d9978b371a457f3202913e2e0fd79df9a658a1c7269bbf765c0363c3d4
font_01_sfnt_off00026088.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26088 33596 bytes
SHA-256: d9bd5c00743e7fb6e93e7d7727313fef9e8480d7934ff76cde45bc76b308b1ff
font_02_sfnt_off00034567.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x34567 15924 bytes
SHA-256: 8afbc7bfc9c3251024b3edcb57d20cb94c8893107acd1802082debd81f7bf3e3
font_03_sfnt_off00036afe.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x36AFE 217340 bytes
SHA-256: 94e96ca5dcf0707727b48752fdd01a4cb343919f3b48cba95a6cbc0d6d0c748e
font_04_sfnt_off00037a20.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x37A20 47796 bytes
SHA-256: e63a51dfd52b6a8c3166c59ef4814eb245c5181b09637107ec97ab4eb48e1cf5