PDF malware analysis — malicious · 1c9c152ab1380132

MALICIOUS

PDF

3.60 MB Created: ¶Rì¨JLÉ 2¡o®±ï4;·s Authoring application: <»àkÆÐ(©q©µrxâ0ª´[ÓË~^µÙØ ~

MD5: 1f7866ea902ba3492870d0eb5f3fb879 SHA-1: 0acc7cdf2e92117875770778ab87403a912e71f7 SHA-256: 1c9c152ab13801328f78978eb97f69d9eed12a6a436cf023578c62c978a1616e

72 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF is encrypted and contains embedded JavaScript, a common technique to obscure malicious payloads from static analysis. The presence of multiple JBIG2 streams suggests an attempt to pack or obfuscate content. The heuristic 'PDF_ENCRYPTED_WITH_JS' strongly indicates that JavaScript is used to decrypt and deliver the actual malicious content, likely an exploit or downloader. No document body text was available for analysis, so the rationale is based on the PDF structure and heuristics.

Heuristics 5

Encrypted PDF carries /js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`jbig2_00_off0000a0c7.bin` `23439f0fffb513bc0f23448ebec1dd0994b6f00771d4e2648616fdfbeaa9a573`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xA0C7	46545 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_01_off0001613e.bin` `6018e2bf8b4dceb637daf8098172accd75100a95b96ad5cac362f1378c64cf3d`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1613E	42560 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_02_off0002109a.bin` `3842eca129be645d93514cd4a985be02a62f2a8bf249c096cdd8b13b389a0ec2`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2109A	35328 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_03_off0002a4b0.bin` `81cfd50f742c7f8e61d270e299d1174423a295102485e9e2fa480d130cba78dc`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2A4B0	33285 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_04_off00033273.bin` `825f56b6653808e5b85e8cd8bbe2dc0e50eeaa7f55f56df54315388c506937a7`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x33273	49921 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_05_off00051baa.bin` `e8d743d01976632f3e1e72ab3837ae46eacbea79578ec713bbafdfb0a1c6e104`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x51BAA	14732 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_06_off0006c82d.bin` `36c419b5410d3fec409f566acdc3bd301ea9302799a34c90887f0e9cfd51d3ee`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x6C82D	26269 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_07_off00074157.bin` `99023937e39f7f6c7251ba2c02211f568a61fe16ac2f745bb1541a1f722e678c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x74157	31198 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_08_off0007bc9a.bin` `e6f6e64b62e60781a9cc218673b97a5eefc270d5f442ed2b036a42063143fc22`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x7BC9A	38848 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_09_off00085d80.bin` `9015fbfb1efd8de3756f53be609157fcbc3b0d0241a8f5cab743c00053090243`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x85D80	21581 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_10_off0008c3ea.bin` `dfad9d08326de2f6556987cf460172303c3cd4f37dc4642c12187cc62a6e72d2`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x8C3EA	19741 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_11_off0009126c.bin` `c6194ae52b10adf9847048797a1da864588f7bb6e05370f7224efc78cc521f0e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x9126C	13038 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_12_off00094611.bin` `e0211dfa6eb94389df1b20d3cae9ec375a8b2f99a579a170b5f63b81100c196b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x94611	22113 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_13_off00099d29.bin` `aae72c4bfb6757fe9912ece52c02d5bf78bae7377b906c3524cf46b9379a25eb`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x99D29	17215 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_14_off0009ea6b.bin` `c7b61990f840631653dc8ba1a782e7129ccbbcd02182fa262a284780b96f852b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x9EA6B	46020 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_15_off000aa86e.bin` `4d60ca76e45d72bbe158f88dcac6c3abefa46ef0b970a7367b1aba16e3119e00`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xAA86E	30241 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_16_off000ccc00.bin` `282cbbe29c2f7c8f01ee68f73f19d6d36d2eebb54df15eb2b7887626418b7ee1`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xCCC00	14887 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_17_off000e42c4.bin` `309309159290a2d47bda7cc9793446b028cc6bbc4aff8fb3ba6848770765de78`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xE42C4	11894 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_18_off000e7994.bin` `44bdcd227e82040cb81cc0941e02d59bde92c56428a1f08eea0fac5916d32e3e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xE7994	24245 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_19_off000ee806.bin` `5145440a14a9ccd7be8bb81befb1702c479935cddaf14de9fc460eca14edcc8c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xEE806	13233 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_20_off000f1d1c.bin` `7ba4e4a53ba51830f37e79bc1139509150cb910959bb4d6a9fc94ed7ae31aee1`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xF1D1C	40747 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_21_off000fc5cb.bin` `ef05ae20578025f78cd9dcfdfb54469f7f6370c363be94d07daee807626abb73`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xFC5CB	29674 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_22_off00104301.bin` `e123384bbe781d1e9f804574f761fbfc2311082ab95b799f4f79b92c4a3d34e6`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x104301	23690 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_23_off0010a98f.bin` `143dfb9f958e49a14019cb3b876ebb1f8ebe0adc94e66d2ecd8afc2c1bc3a7b4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x10A98F	27857 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_24_off001123a0.bin` `44502b78aeba2906fcc17ae7e346af4f885001715a3ca9da10ce04ab4949207b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1123A0	13811 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_25_off00115af8.bin` `6ea781766a8ed1118a83be36f4edcd151eb4cb2cec54917a2e3a52d01d71110a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x115AF8	19461 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_26_off0011b1db.bin` `38e507b1535cd5da7b8689500dea31486d520f1aa26a356097702907b8cf1cf6`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x11B1DB	37930 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_27_off0012c13c.bin` `59dcee45142e34cc676ed7586ec28e064d2871340cf0bc3039fbba1f84e37a39`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x12C13C	41143 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 8.00, consistent with packed or encrypted content.
`jbig2_28_off00157fb0.bin` `34b70136da7a4d72e28dcdde18d89bcea046eedb1984b0d6ee72a5a6770eabf0`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x157FB0	20290 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_29_off0015d057.bin` `c76284e893eea04e6c74f53ecc19bb4d8f4e2675da33774464a9fa1c286c179d`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x15D057	19122 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_30_off00161bc0.bin` `2c5106aa1967a4b7094ada0ce1e81fd517a9f6c8e245d3881fc54c2df78c82d2`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x161BC0	22778 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_31_off00167571.bin` `25cd19ced23fb076692cbdf9b46807002b2241bc5a8f2571afde113744daa280`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x167571	26052 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.