Malicious PDF — malware analysis report

Static analysis result for SHA-256 f637496a4624847e…

MALICIOUS

PDF

269.3 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: c633e69ec1b4181d3b1e01014eecb4c8 SHA-1: 3065795c6c48fa55617faf0a939abc7f02b7dc78 SHA-256: f637496a4624847e2ca7c36de499de39e630765b78b1a0e16616ca511790b4cf
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains a high number of phone numbers, consistent with a travel support or callback phishing scam. The heuristics indicate a deliberate attempt to stuff the document with phone numbers to deceive the user into contacting a fraudulent support line. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_015_off0001eb8a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1EB8A 18240 bytes
SHA-256: 40e421321e795e26ef42df8f532d3ea5ea8f2c595c2f46e8bbf04c2cd9121b4a
stream_024_off0002291a.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2291A 150432 bytes
SHA-256: d0e870b8977de6bd6268e7b900f8a405da97d2b71173ca3b00d908d52c5454e0
font_01_sfnt_off0002b794.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B794 13508 bytes
SHA-256: bd9e83287b0d68b69d51ade3b1a6d88c9d79616100fdc6bf8b94f35bdafefa18
font_02_sfnt_off0002d9fa.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2D9FA 221672 bytes
SHA-256: a7cd16084d175f6b911e09f4aec11053f701f3a8bdf5414f2c39a9ceafde9675
font_03_sfnt_off0003a269.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3A269 55948 bytes
SHA-256: 3c6051093235d69c49bba294c3800b69fb67854306ce9e7943d0d6d3649bd30d
font_04_sfnt_off0003e321.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3E321 47820 bytes
SHA-256: c37ff9f7ac38071c5562ac4531b40d9dd44e418c77721c770c79c0dc31a9a670
font_05_sfnt_off00041c8b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x41C8B 6096 bytes
SHA-256: 03c02e05377f87b7ffcfeecda6ee9d693b22f57d196f7e92f5eec09b0c4d8096