MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains embedded JavaScript and a launch action, indicating an attempt to execute code. The high stream count and JBIG2 decoding filter suggest obfuscation techniques are being used to hide malicious content. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, though the exact nature of the payload cannot be determined from the available evidence. The benign URLs present do not detract from the malicious indicators.
Heuristics 6
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off00000ba3.bin1b9026de0594670f0f1e622e14610c2a0d44107bd1e1166a07927476c4166fa2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBA3 | 28321 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_01_off00007c51.bin169ca1319e6b62e8787cc5925bb65cbc89f23aea1352d50ac87e2e8977505310 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x7C51 | 29215 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_02_off0000f07d.bin19ae69c179f4dc6cfffd0a5a5ffc7e594821c63dfaf1f67858ba1ea57effc21d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF07D | 30595 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_03_off00016a0d.bin186bcec04d3578fbc73353b82306de1f9d1e2f83685ecf5bfd07b6387fb8f2b5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x16A0D | 26841 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_04_off0001d4f8.bin9a32f6cb131682f485653972e7eea8cb61eba71f11026f64b20b7debba198ba4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1D4F8 | 24900 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off0002384e.bindc4686fffb3dab99ee3aa0399e14865ab0ab6b880efb8d005839288dab4125e9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2384E | 23620 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off000296a4.bin11330482b90ff1eb813f4c6ff801a932c8548d8ba3c5ea173174e12fe4a543fb |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x296A4 | 34891 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_07_off00032101.bin2808c330a33ebe4441dd0c109869fc47bdd376af238a676edbf7ca82a2df9195 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x32101 | 25189 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off00038578.binb6b1c49330d008f60fe0e6d0e62a6192a2a61ff5a617034277b613a73dd8458f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x38578 | 29599 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off0003fb29.bin609d67105709d3508411fabe13cbfdc036fbb4a0cef817b54bfdb1e777383419 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3FB29 | 37130 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_10_off00048e46.bin973302dc48ef5a4dd8f86f47173cf355b5c490ffa06d450ba061cb57fe305741 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x48E46 | 39042 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off000528db.binacb8572e372ee5c41c0e0063fb3eb0c920a4bc0e070d3f94a257ec128e407d49 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x528DB | 27063 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_12_off000594a5.bin3459774a3cd8c8b0ca53433fdafd8d92bcfa08947482d358ee5d2c4fec68c894 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x594A5 | 27254 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off0006012e.bin64bdc7eafbbb3011e35acc9e31b58aa03e59e931212479339fcf5b84302410a6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6012E | 29558 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off000676b7.bin37777c89f7e680bddd23a2c1b39102596c4c50c5a33c1ef1601832e5a97639d7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x676B7 | 32836 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_15_off0006f90e.bin8dbc61accbdffc0ae284b1d3eb78f694cae74c8d1817f55766b98813c11a14c4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6F90E | 24525 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_16_off00075aee.binb35e1fe5c9d0817a80e7200d88ac5a6d3b255222e8d393a1cec0bbe241b7fe9d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x75AEE | 27218 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off0007c753.bincceeb4bcef1dc60a16869fcb1f222b17e27cc2df17cba57a49f08a6fb2c72658 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x7C753 | 37240 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_18_off00085ade.bin2cd460d4dd18fa81059264ff19cfb4578490a81ed0184e141df0b13e4baf9c13 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x85ADE | 31023 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_19_off0008d620.bin71d4247740abf5116aa6075511468a8cc35564614470eafdc748ac57a91ad029 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8D620 | 31569 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off00095384.bin4726716a4fcb1432ceb44e6d70b1ca332c01cf6f660eacb2d765bbaec2ae8764 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x95384 | 32009 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off0009d2a0.binad8ad27ac35e3248290b400a4a30084aeb977b36992d813621f2b6dd89113f3d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x9D2A0 | 31191 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off000a4e8a.bin4eebb5e31e0df13f2829d4187672c8655168fff2902dd75d5316d6017324d07e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA4E8A | 33024 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off000ad19d.bincdc7698acb84e94a0ca64d9a602484b355c5eb203350c766cff66f2bdda32fb6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAD19D | 27318 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_24_off000b3e66.binc83a1117478fa98b3f5c6233e39e1d4bc0270eca754a52a4f3cb7cfe21170009 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB3E66 | 31104 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_25_off000bb9f9.bin3d2b1c8ec9f66c15d48a98cbd330b769dae9fd4490842881c224a76af131974f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBB9F9 | 32534 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off000c3b22.bin1110fe0cd0f131da345d3fa38f5b002c60728a9815facc8511c87e68e67bba42 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC3B22 | 33900 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_27_off000cc1a1.bin542fc0eb04882a07e7c8ef2e575098eec83ef48705147eda79b9fc030eeb907b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCC1A1 | 35849 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_28_off000d4fbd.bin9e86ae610a62ca90c3e77d0d2f588f17ab8ca3ef745bf8baac01e4b4186b8ff8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD4FBD | 36883 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_29_off000de1e3.bin8c320a220208f1c0b2316ccfa3bdaa6ff5c32839e1c2f538e62021e0933b292f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xDE1E3 | 39868 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_30_off000e7fb2.bin60b4f363d9a898e008e44248a985f44a7d643aea990aa503c23ed0a3ee2430a4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE7FB2 | 37028 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off000f1269.bin44cd54fe19ee81cde2b005593b2417052cdfb0b3e92b93878dbb1391a6201b48 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF1269 | 31154 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.