File verdict·Decided by the MT AI Engine

Our call

Suspicious

Item: saraba@pdsbnet.ca_Provincial and demonstration schools branch.pdf
Rating: 2.5
Author: MalwareTips File Scanner

Single tier-1 phishing label on a brand-new unsigned PDF with no sandbox or multi-engine confirmation.

Trust score45Caution

MT AI confidence · 65%

saraba@pdsbnet.ca_Provincial and demonstration schools branch.pdf

85.0 KB

7b7606a6b4d8d5183f…d9d603707b

Antivirus engines

1 of 75 flagged

Code signing

Unsigned

Age

First seen 9 days ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

65%Confidence

High

Reasoning

The payload shows a lone tier-1 malicious result against a backdrop of broad clean reporting and completely benign sandbox telemetry. Filename and threat label hint at phishing intent, yet the absence of corroborating signals from other engines, external intel, or runtime artifacts prevents a malicious verdict. Similar-hash RAG provides no additional context. This mixed evidence profile matches the borderline-mixed-signals pattern.

Key signals · 4

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines.topDetections[0]: Fortinet tier1 result=PDF/Phishing.QRC!tr
file.popularThreatLabel=phishing. and filenameAnalysis evidence of email lure pattern
prevalence.classification=rare_new with firstSubmissionDate 0 days old
behaviour.hasMaliciousSandboxVerdict=false and droppedChildren.hasMaliciousChild=false

Points in its favour

16 tier-1 engines reported clean
No malicious sandbox verdict
No contacted malicious hosts or dropped malicious children

Points against

Single tier-1 phishing detection
Email-style filename suggesting targeted lure
Zero-day submission with rare prevalence

What to do

Quarantine the file and do not open it; request an alternative delivery method from the apparent sender.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

Spawned processes

$(unnamed)

c:\program files (x86)\adobe\acrobat reader dc\reader\acrocef_1\RdrCEF.exe --backgroundcolor=16514043

Filesystem & mutexes

Files written9

C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json
C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\TESTING
Local\07F84778
Local\07C14DF8
Local\07F85AE0

+4 more

Files deleted2

C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\DC_READER_LAUNCH_CARD
C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\ACROBAT_READER_MASTER_SURFACEID

Dropped payload

Files this sample writes at runtime

This file drops 6 children at runtime. None are currently flagged malicious in our cache.

6 unseen

ad27039abac3252c3b39…37ede5Never scanned
never seen before
61ba57adc66672639bfb…0b68dcNever scanned
never seen before
81ff65efc4487853bdb4…7c8e06Never scanned
never seen before
278165575687daf6392e…e90a09Never scanned
never seen before
bdee182473d254ab5424…9a28d3Never scanned
never seen before
e3b0c44298fc1c149afb…52b855Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Antivirus engine breakdown

1 detection across 75 engines

1 malicious0 suspicious74 clean

Tier-117 engines

1flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

Fortinet

malicious

PDF/Phishing.QRC!tr

Hash 7b7606a6b4d8… cross-referenced against 75 AV engines via our AV network.

Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new

Unique uploaders

Very few people have ever uploaded this — rare.

Total submissions

Includes repeat uploads by the same source.

First seen by VT

9d ago

May 25, 2026

Prevalence quadrant

here

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

5/25/2026, 8:31:45 AM

First seen (MalwareBazaar)

—

Last analysis (VT)

5/25/2026, 8:31:45 AM

Scanned here

5/25/2026, 8:38:26 AM

File name: saraba@pdsbnet.ca_Provincial and demonstration schools branch.pdf
Size: 85.0 KB
MIME type: (unknown)
Detected type: PDF
SHA-256: 7b7606a6b4d8d5183f08778241b133a038cdaa6fe8b8a4d1e18faed9d603707b
MD5: d4b14b73f16764f88648813261b4a61e
SHA-1: 376158e679ff8974671b26646a5bace9890e977f
First seen (VT): 5/25/2026, 8:31:45 AM
Last analysis (VT): 5/25/2026, 8:31:45 AM
First scan (MalwareTips): 5/25/2026, 8:38:26 AM
Last scan (MalwareTips): 5/25/2026, 8:38:26 AM

Behavior tags

pdf

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.