MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF file contains multiple heuristics indicating malicious activity, including the use of JPXDecode related to CVE-2018-4990 and a high stream count suggesting obfuscation or heap spraying. The presence of embedded JBIG2 streams further supports the exploitation of PDF vulnerabilities. While no specific URLs or scripts were directly indicative of malicious intent, the file structure and heuristic firings strongly suggest it's designed to exploit a client-side vulnerability for code execution, likely as a spearphishing attachment.
Machine Learning
- Nyx PDF Classifier clean score 0.0565
Heuristics 5
-
JPXDecode + active content — JPEG2000 CVE-family indicator high PDF_JPX_CVE_2018_4990_RELATEDPDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_017_off00040ac4.bin5311f6c23313d00c3b20e47015976d89d6d6f32d3f70aac33563cfe4fea15375 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x40AC4 | 53300 bytes |
stream_020_off0004d0c4.bin72f1bc6cfaff1332c3fadf4733bc44863c4fddd24ecfdc9247807f0ff287eff5 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4D0C4 | 23439 bytes |
stream_024_off000699c2.bina0fcd5c2f57e8c6c2d7a22353de2b1d80a346be1db8df9ea27bbb57f23b3bb1b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x699C2 | 118918 bytes |
jbig2_00_off001e9d30.bin831455fd43058516cffee68b468710b685d6831fd00f0ffd5526652046a4fc0e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1E9D30 | 6144 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_01_off001efee8.bin1ad7070d4b7df0fbd3218d39ddb9f1a56fc077fbf6dc88daeb7514e08a386407 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1EFEE8 | 7223 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_02_off001f1bcf.bin8f2da93f039c053a0749a7dc5b8af92c1d5d13d9175160e4d926acca75b7bd82 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1F1BCF | 8118 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_03_off001f5b25.binbc6717921b88a65c22b7f5c48e588170d0f10333dc9d4c406c6f1c75499d77b3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1F5B25 | 11259 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_04_off001ffc51.binda197b7907aa512b24df092d576f661e5c5d3b588be426652fd2a5cb17f8708a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1FFC51 | 7088 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_05_off00203f5e.bin42d1df67c946b434d183cdd4983b1590168645fd377545b818c6aabadfbba3bb |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x203F5E | 5537 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_06_off0020871d.bin773ac194cdb6c99a255f7b69ef33c16b2299a6e1df8f8ab38165961047bc8bbf |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x20871D | 4760 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_07_off0023e42a.bin950fcbcc83d464c618571199f1a3f7394d43ef98fea66e308f17eba33eaa98a9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x23E42A | 3321 bytes |
jbig2_08_off0024131c.binbb39abd18189172d9d55a87a044476c540b6bb7d2b1916dd3a68f8fca41c4f31 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x24131C | 3591 bytes |
jbig2_09_off002421cd.bin87ed4b8a8496bf4de4a08219b8bed16a0f4b6163e35d99e5512cdb6cc045b1de |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2421CD | 3335 bytes |
jbig2_10_off00244430.binb1347109080ab948738a20ada8903bba4e06bab72707630664a19df63fe0d8b0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x244430 | 3888 bytes |
jbig2_11_off002505bc.binfd22669c6f8f87025352efb915e5682607590a870af6b50a5ef95cebb10b6618 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2505BC | 5747 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_12_off00257ba1.bin8840eacc3361500b13d7fc592e590ae08931b70a9e0d1b62e6ddbc78429875c5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x257BA1 | 5766 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_13_off002592d2.bin0195f5949d78c14bed18e131123d606a2453839040f1122ecaabced06761eea7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2592D2 | 7447 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_14_off0025b092.bin755ae2f349294cd87eb519836861d7926ee937c7821f7a6dc1422e4c019192a6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x25B092 | 3963 bytes |
jbig2_15_off0025c0b7.bin88d5542ea85c3b1958d6f0e2f841d17b6cade09cc095dcc9a389151ca790a824 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x25C0B7 | 6420 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_16_off00278c2c.bin468022672dced1f2a37db3b005b03022fa1e6db5ef00bfaa546fd3be627c3aff |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x278C2C | 4416 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_17_off0027c79e.bin7703ef66d10e23063f79381573fabb6d4afdec5fdb9278e1be08074bd603c25c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x27C79E | 6068 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_18_off0027dffd.bin4a3638446754abba62355135af7f4b6585ba6c878918b3b30e2a144f85911f91 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x27DFFD | 4810 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_19_off00287fc3.bin8ebe071fb42c98e09b6da2a9700c118cb91c5025b4174b3f42fcb29506f31092 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x287FC3 | 6967 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_20_off00289ba5.bin340e0255b8efce7e4e1019813b07d4c1fa2c3d110d5b2d67899d1710013b0ec4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x289BA5 | 5802 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_21_off0028b2fa.bin6c240e3428a183977aa6761f53c2db739c0e16ccbcff4cda9efe47aa4bfd86f5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x28B2FA | 6412 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_22_off0028ccaf.binf6fe7ee976300fe2ef1a988516cd3ae8dd18d6db8a653ecc09551d25356445c5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x28CCAF | 2343 bytes |
jbig2_23_off00291df6.bin410c84dd58710c659918c14c33326981e36ba4c536e38cc551e72e23ebfa175e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x291DF6 | 5413 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_24_off0029e666.binc574bedb356af11cca0fe23dc12def7133ac16defbab28ed8acdc54590cb5427 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x29E666 | 3643 bytes |
jbig2_25_off0029f54b.binbf627c8e923a83752db0446d446b35cf44cdc4f3dc9268ec323c2ca1349e2bec |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x29F54B | 4852 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_26_off00308039.binc2bb6dd76db2e90a66a6dd46af59ab12f8906a10bb564ad444d415fd7be33d83 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x308039 | 10926 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_27_off0034e305.bin059f56da250a74e82a933633bac6f51184e72868fc0e72a7139bc8a0dc1f2703 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x34E305 | 4894 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_28_off0038cf21.bind62567ea7fc418f1235845dd72bc97f80e1f9baa478793d914197e4bf040089c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x38CF21 | 5334 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.