MALICIOUS
84
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The PDF contains numerous embedded JBIG2 streams and a PDF launch action, which are commonly used to deliver exploits or secondary payloads. The ML classifier also flagged this PDF as malicious with a high score. While the document body is truncated and unreadable, the presence of these elements strongly suggests an attempt to execute malicious code upon opening or interaction.
Machine Learning
- Nyx PDF Classifier malicious score 0.8647
Heuristics 6
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Launch action low PDF_LAUNCHPDF contains a /Launch action; all filespec targets are document files (cross-PDF navigation pattern, common in multi-part document bundles)
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off00000b6b.bin213242e3203242aecabbebb2ae7ac68f3ae683f6ae801a0f0908c89999bb4699 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB6B | 38564 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_01_off0000a41c.bin0bfbf0286cac496e5ede029f3eec22c93c3302478c59c6dc7dab1893a7844592 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA41C | 36323 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_02_off0001340c.binb546319b37e6b49651d474bfbe643c0d06a8cd0fa53ca13995aff641bff5d276 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1340C | 38676 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_03_off0001cd2d.binfdcf85ecdb84b5f5e26b2e74dbd029e2651ef14584015f71f376ab5473ad8e25 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1CD2D | 37084 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_04_off0002601b.bin18fd5fbdf4fdba8b20e1a6cfd8fe93ecff43e4b4a4a447d131cf490d6b91a455 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2601B | 38716 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off0002f969.bina486e87912924dd75748856f7781f3b1740a16a64211b51601bba1797368828c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2F969 | 39869 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off00039738.bin7f38560197ad69196b9350312c423c76110f449759f4257a0c09f7fb7b3540a5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x39738 | 38659 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_07_off0004304d.binbe8bd6ffee7b77dd380f53648caa85ad77c75c02e5e30f46fc077db07e1e8a23 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4304D | 34921 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off0004bac8.bin77f0611392b0954329ce1afa289e1cae06264593da1cbcf856ee43f4c1f436ea |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4BAC8 | 38056 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off00055182.bine4261e4e681c8c3b8a446f5bc589b98164fbd9581a538c44d2805deebb506299 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x55182 | 34547 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_10_off0005da88.bin4fc9af34bbf4b7919c1bb4d7855df0193262a37d4b7ad2a22cfc57fcad08e59b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5DA88 | 35615 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off000667ba.bince5baf779755894e40023c54ba80c87eca88c9d20a2127e831c4ff20d8f74a28 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x667BA | 37219 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_12_off0006fb30.bin6acb0186175ff2f4bfdb97214ab414eea85adf4125febe0db218c9af96f39b6f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6FB30 | 30502 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off00077469.binea66fed1376e75f42ffba710a30be66ba1a9356d7bed25baef72405f4cc045e7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x77469 | 35647 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off000801bb.bin8ab9953779ee723b92c77e6181a3eb7c504c28c412617f1600c32287e9507129 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x801BB | 37230 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_15_off0008953c.bined2e1a8ce3f4a5fdb871bf60b85de6f625cfa8d285ac5abf55f0f37a8548af6f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8953C | 38375 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_16_off00092d36.bin1ce9d399c7e6d03870e0cac0e44b14b3c80aade534792b81e2e8e3cd970f57d2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x92D36 | 37813 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off0009c2fe.bin252af74d647978ccc877da75f8020ffa46e36251183170062235833d6abd0a9d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x9C2FE | 40210 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_18_off000a6223.binec7b58ead373eaaa81e37685fb31ce80543dd25e5d74ef5bd54da6f40d4aca5c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA6223 | 36995 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_19_off000af4b9.bin7e47e24aeeb340c54e2b75d9c350f5a6860cc70e18d996b17aaf78f82fd77314 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAF4B9 | 34549 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off000b7dc1.bine4b63317793e21e343801c81912a34d3d4bfa06be6d69c49fb824d9259ae9abf |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB7DC1 | 27916 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off000bece0.bin2c3ef8cc4b5e46364560893ae80a39e054ed042d68bc89702a78a9d01e8fe935 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBECE0 | 29657 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off000c62cc.bin172d2ce121bc5621ab976c2d6425d0c1c90461ff72c8a31cad7ce6f727677df0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC62CC | 27725 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off000cd12c.bin5f80a7a4be2e5958a4f0d8c3d877d4b6adcc94001f6cf17c9b8cd53fb79ab448 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCD12C | 31189 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_24_off000d4d14.binc3860640ff6de2cf289358857d2acedc7620386431708fd8f8973e5ce4af21a2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD4D14 | 26848 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_25_off000db807.bin9ea0987fca44750deffe54b47c2fa22016b65e0a6e0005cc0e018f02a5a982f7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xDB807 | 31649 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off000e35bb.bind0a5d92f80deaa18e2cec6770ffeae8380eea3d8e8c2ab16ac575c205fccc1b8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE35BB | 40422 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_27_off000ed5b4.binbcdc1366685e65774a4a48122560313a96796325d041909995654249fe08bb6f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xED5B4 | 38866 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_28_off000f6f99.bina95cfb43e9a0c3387d10c02bc10411a5f33513d8433beadf1897e14d1d42b119 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF6F99 | 35878 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off000ffdd2.bin60e8586593df52cf613e2e0d24bad34d9a9149f4e5985858e51d0fc963b58525 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xFFDD2 | 37044 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_30_off00109099.bin858eed9114d4877f3f0e6a416352b373d1ae757c2bd62154d0c1ae0046326412 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x109099 | 35126 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off00111be2.bin32a1ed8127491a7101181a8a6c5722198a02292077a4cbbd33121cc5453bd10d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111BE2 | 33111 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.