Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb48aef04cab18cc…

MALICIOUS

PDF

315.6 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-26
MD5: 775210a46123296946b5b6b4f34adf47 SHA-1: fdf0d7e6db4dd2d1d5a60c3ba9b6c08d84ba82ff SHA-256: eb48aef04cab18cc965c125860c12ae14a5e3b5aaae1cce378e4ea2736796f75
60 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam high SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_022_off0002bb6a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2BB6A 150316 bytes
SHA-256: 314164698dcd254ebf8895d14e70c9264367cbc1417bdbd6e0eec8045a3395ae
font_01_sfnt_off000348a6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x348A6 220780 bytes
SHA-256: f91b363df35c89abd10f1b74970f2be596ef427093c0804e3a9d6a9cb3588a76
font_02_sfnt_off00044c8a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x44C8A 51768 bytes
SHA-256: 169623166259fdc4c284d3df4c9ef6143881b4dadb49556b9ccaf45963468a61
font_03_sfnt_off0004b270.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4B270 6096 bytes
SHA-256: 03c02e05377f87b7ffcfeecda6ee9d693b22f57d196f7e92f5eec09b0c4d8096