Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec90b55424b175f1…

MALICIOUS

PDF

164.0 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-19
MD5: 0ab68d5fb474e555b5c2467d3f834f77 SHA-1: 4f0d9a9df945999825be39aab3c5e5c3737abb10 SHA-256: ec90b55424b175f1a18cb4f6db657250ace2f5eaeefee92003fb7d0ae735680c
80 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.
🗂 Part of campaign: shared payload fa790acd85 90 samples

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_011_off0001dda8.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1DDA8 148584 bytes
SHA-256: f2ddb819543c77cef8a4b36f4f3fcbdf58541cf9562e8d18c0eb1cc7d07c5bf2
font_01_sfnt_off000264a2.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x264A2 217020 bytes
SHA-256: fa790acd85c5f2dd82c32029e23bb53427a55a09ac3bd416e6d869759fa35834