Malicious PDF — malware analysis report

Static analysis result for SHA-256 f736a8458ad486fc…

MALICIOUS

PDF

158.8 KB Authoring application: Skia/PDF m150 Google Docs Renderer First seen: 2026-05-25
MD5: 68c0fbb451e478253966aec9ebe80050 SHA-1: be5c10b463f592e3954b45017c1b19afca8b9398 SHA-256: f736a8458ad486fc30013a5de1d44394570e6f1bdc21e0863f845dfcec6fa704
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file is a PDF document that contains a large number of phone numbers, consistent with a travel support scam. The heuristic firings indicate a high count of phone numbers and a callback lure pattern. The document body is heavily obfuscated and does not provide clear textual content, but the heuristics strongly suggest a scamming attempt.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 2

  • Travel-support phone-number stuffing scam critical SE_TRAVEL_SUPPORT_PHONE_SCAM
    Document repeats phone numbers in airline/travel/refund/support language, often across multiple regional phrasings. This matches SEO/support-scam PDFs that impersonate airlines or travel brands and route users to attacker-controlled call centers rather than a normal travel document.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) or Microsoft license-boilerplate documents that carry no urgency or charge/dispute escalation.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_014_off000191d1.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x191D1 150316 bytes
SHA-256: 314164698dcd254ebf8895d14e70c9264367cbc1417bdbd6e0eec8045a3395ae
font_01_sfnt_off00021f05.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21F05 221836 bytes
SHA-256: 0c33774a837ac817da5f1ccc527795d8b017b67a20d8b35cd2c3d6555f92af06
font_02_sfnt_off0002343b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2343B 47796 bytes
SHA-256: e63a51dfd52b6a8c3166c59ef4814eb245c5181b09637107ec97ab4eb48e1cf5
font_03_sfnt_off00026d4b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x26D4B 6096 bytes
SHA-256: 03c02e05377f87b7ffcfeecda6ee9d693b22f57d196f7e92f5eec09b0c4d8096