MALICIOUS
152
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The PDF file exhibits multiple high-severity indicators, including embedded JavaScript and encryption, which are used to conceal malicious content. ClamAV detection as 'Pdf.Dropper.Agent-7596497-0' strongly suggests its role as a dropper. The presence of numerous streams and JBIG2 decoding further points to obfuscation techniques commonly employed by malware. No document body text was extracted, but the combination of heuristics and the ClamAV signature indicates a malicious dropper.
Machine Learning
- Nyx PDF Classifier clean score 0.1657
Heuristics 7
-
ClamAV: Pdf.Dropper.Agent-7596497-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7596497-0
-
Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off000343e7.bin7ba331f52d001621992f256808b0815d4d6de015904ee3450b1245aa34d96880 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x343E7 | 6736 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_01_off00035ef6.bin720054ce927789d6a7ca4cc29a0d2aba06caa43f4874e950f75c57fa595559eb |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x35EF6 | 12128 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_02_off00038f15.binece7ef113b2a6fe0d7651933d02c987e176c0eab7b7e8a23e0fe9a9522decbd9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x38F15 | 7040 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_03_off0003ab54.binf3c186b52dcdb1d86d6c6741e4dd05327951ebacf1053d0e51627e25e44318f3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3AB54 | 12016 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_04_off0003db06.bin7f6dbb9d1cea6b8c899ac62fe38db934d19c493fdd2e24421e6fb7a990f5952f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3DB06 | 12864 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off00040e07.bin8007e232f9a07d9c2fce67ff4b491a103744e98cdbc9e5acf612c4fd381961f5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x40E07 | 2768 bytes |
jbig2_06_off00041997.bina62969a27b5dac2a16deb490b48244666f2d978dc0ca3080f633f8e40fe40a26 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x41997 | 7904 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_07_off00043936.binfba6a40c4a28f675478b6c07b08fd1602f5c15306c2afebc1d9277fdb262b8e9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x43936 | 112 bytes |
jbig2_08_off00043a66.bin8672f1490c954ca6a2479fe6f40fb7072d97c72cd4df9c6a7b2b81d53d933eec |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x43A66 | 17760 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off00048089.binfe7bb9f2db6a512a7041b125b859b2e420f868e992cafd0d1fa7c0675af33f40 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x48089 | 14112 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_10_off0004b86c.bina584bb509756d65f8bd84ce8955a829cb9a4e5618d4ffcd3aae70b607a93a8fd |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4B86C | 23904 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off0005168f.bin814fcbdd29521711aea1c4b163ad3be4561a5ba1ec5e6b43b11d7602baa476fc |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5168F | 38416 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_12_off0005ad62.bin51b51dcfd3f90260c908154f7c2aae0cf5cba63b1fd79a02cf41c07b353be100 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5AD62 | 40896 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_13_off00064de5.bin6d3b2e400337deb413988fffb8ca23b93b959f3fce51b4136fe3d6fc75e97957 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x64DE5 | 40704 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_14_off0006eda8.bind98ab2d1dd482adcb7c4ba3418d23656b9a95a7595afda135e7664e9d145259b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6EDA8 | 36096 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_15_off00077b6b.bine558673a4d3be275512649129ce049aeda2fca3540f1aa4010bf25437498f051 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x77B6B | 40816 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_16_off00081b9e.bincd2ded680489ea3b03a8adb2ee2d6ca88d61c6fb81479e21fe1986679e8844ea |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x81B9E | 40704 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_17_off0008bb61.binc3cd8380006f64e327d9de6e25f460aa20a9e86285b25248de0f3391e934cd40 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8BB61 | 38528 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_18_off000952a4.bin9d8db2d85f3c7226603c78ac7d882644f8a25e9b2bfb28206295396e53eb3dcf |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x952A4 | 40608 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_19_off0009f207.bin83730da5aa18e187dd70b80aeb1993f088231e66c0d4b9f4a3acb504b8bc473e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x9F207 | 36592 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off000a81ba.bin3f7be0448fd3aca40de956c1e800c4b6a33cdec12590b35d3b51cab5a87362a0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA81BA | 37968 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_21_off000b16cd.bin7af9d8fd210eb90b871e0df3a0e877a9fe2e1e9dc0d017cf8d40af55c47b2a60 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB16CD | 37424 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off000ba9c0.binaeca227c89b34e5e1e5e21c0673faa971d909879a09e6e3133c57de27f9d43d5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBA9C0 | 37696 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off000c3dc3.binad73b7e98614d6417f0fd18de053a2715231352879d26b1ab35a4bd293615644 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC3DC3 | 36464 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_24_off000cccf6.bin76e32ecbf142b30832b522b9c1d1daf52636bf4d969683a5b81668b1cf81047a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCCCF6 | 40640 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_25_off000d6c79.bin257ed6c9a53a2609b104aba3a83e913f37b11350f7fe1a7b6be9dc5583ca7353 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD6C79 | 40528 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_26_off000e0b8c.binbc2cf9dd50a2dcaa7624315ad109e7252c48b44f8535c944e88cd1f0ff8d24f7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE0B8C | 39520 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_27_off000ea6af.bin4be78551d4d14b5aa2e5b3bf2395c26072f962a73f706d7124d73a8b90365f0f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xEA6AF | 38848 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_28_off000f3f32.bined3a5382dfe69d3e0691dbe3f4f925c9764d5706cdbbc9ed797d199fc3c32e76 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF3F32 | 35792 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off000fcbc5.binba94852ffc91bd3ea751027db163fe186291f9345c0194518919a8d8b29c35f7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xFCBC5 | 39296 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_30_off00106608.bin3935547ea090e66f1fe96c362d69f719571a72bf5f6640e712dba0aee7fb2d99 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x106608 | 40224 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_31_off001103eb.bin749a77aee3024c92928556dc1dc4ba6773ab85fd2dc593544d62c6950b487f87 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1103EB | 42000 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.