Malicious PDF — malware analysis report

Static analysis result for SHA-256 2469e9867c9af95c…

MALICIOUS

PDF

20.2 KB Authoring application: Aspose Ltd. (via Aspose.PDF for .NET 19.8) First seen: 2021-02-18
MD5: a274bbc75b6639bbb436c7a38b2cba2c SHA-1: d9f84c30dcaaf987fbb7ea0af3cae8e88f26ce4a SHA-256: 2469e9867c9af95c004c6b08a257f72bafd5195e18c4643e874a2bc4b021b402
160 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 8

  • Malformed JPEG2000/JP2 box structure high CVE related PDF_JP2_BOX_ANOMALY
    PDF embeds JPEG2000/JP2 data with malformed box sizes. This is a parser-exploit indicator for JPX/JPEG2000 CVE families, not a unique CVE fingerprint.
  • JPXDecode + active content — JPEG2000 CVE-family indicator info CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • ClamAV: Win.Exploit.CVE_2018_4990-6599478-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Exploit.CVE_2018_4990-6599478-0
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_cff_off000040bd.bin pdf-font-stream PDF embedded font (cff) at offset 0x40BD 1578 bytes
SHA-256: 3ad89875e6fb7800b92b2a7d51b20b4698616ec3f17bd584488b4745cd64e011

Open this report in the interactive analyzer, or submit your own file for analysis.