Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ab5b7afae71827a…

MALICIOUS

PDF

703.4 KB Authoring application: {uçÄIceb>š}*ª'ÿøæ±Ýw~N Ì)†ÃþMõŽÇW ¼zyöï¯å9䇲¿Ð ¡Šñ (via eeöÊ"Cd0m"ÔEˆ#%°Øü±Èko5!ø Pچ£)
MD5: 20adb7b350baafcf18efad1c4bed8bc9 SHA-1: 2ded798ba234625de226caecfc4427fc86293ad5 SHA-256: 2ab5b7afae71827a1b8bec3f7cfac4816728095c43aa9671a6d4eca93f84b657
66 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as a high-severity advance-fee scam lure, indicating a fraudulent scheme involving a prize or parcel delivery. The document is encrypted and contains only images, a common tactic to obscure malicious content and bypass basic text analysis. Multiple JBIG2 streams were extracted, which can sometimes be used to embed malicious content or obfuscate the document's true nature.

Heuristics 5

  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 21

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off00000d6d.bin
d5ea636cf68471df80e1834d115247c71ecd0df72258ae884467b50f900dae40		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xD6D 8265 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
jbig2_01_off00004535.bin
752ac0c601f4dbe5aa5b92a1541a5ad7409b62b2335b6156c25993a90eaf36a2		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4535 26880 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_02_off0000b88c.bin
f8c8d1282c7f440da5666788486a0223582f026b4f6e54ed4338a43bb00533d2		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xB88C 15199 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_03_off00010ada.bin
f20e5d3878da7b9ce12fb1c1adff8fa149dd1acd846ed752d1ea0fed0fecdbd9		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x10ADA 27059 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_04_off000187ef.bin
9d30e7ad24e6c8c4f85ddf1287359aeb20a680fcc27e88a9a2f0bfc6c8c89550		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x187EF 28139 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_05_off00020e8e.bin
24fc6b223b2eddbaf8ea00cba140d08a50ffc8d857f201f0b75df4eeb85940b7		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x20E8E 35661 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_06_off0002b2d5.bin
123936d76423aa8cb788a2a83c487b580f3a17dd01d046ac641e812574bc0fd8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2B2D5 39351 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
jbig2_07_off00036192.bin
35f466d39285f250985d45bf69be747897db6fc52f4ebdc703ebaae926bda2bd		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x36192 29629 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_08_off0003ef38.bin
00f646d180ee97a28239beb361ad51c38e5f127df1d846d787a9245a027df95c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3EF38 39719 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
jbig2_09_off00049fd5.bin
c7e7369cc8b6eef525876de9ab337e31fa8c41d7e80762f900088916175385e6		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x49FD5 32086 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_10_off0005323b.bin
33ff0dfdb72f46fdd61fd53b9834c5114a57e37dfa4cde2cc480ddedee25f09b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5323B 26509 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_11_off0005af09.bin
65b7e97b8bf6dfe1a0e4a5920b5717b658a55a4790e7812b38718517b5176484		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5AF09 27964 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_12_off000633a0.bin
78f8125980d3ba963419be9b51aa87ef3ebbefff097c1a1fd4bfafc3a1f3a9ad		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x633A0 36606 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
jbig2_13_off0006da1c.bin
ba27fd745cfd8200a0da5ee564d7c07ee739c0cc5868591d393377a809603e46		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6DA1C 30936 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_14_off00076c25.bin
5df67038bbd631223ba94b6acd694e12cd9b917b1ce3ecbffdbc5e2914e47233		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x76C25 42922 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
jbig2_15_off000824fe.bin
668df65253d72f35d22c146d50de5b1e9c928aea3e37ffc2583780a34f076953		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x824FE 28603 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_16_off00089f54.bin
22179745ef2f54104071b12b891e2590ac8262feababf6aca212d1b13705f94b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x89F54 18681 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_17_off0008f6a1.bin
caa0a28b84d54d19e46c621c04ade098057533b875999c984abf2d8d82402e13		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x8F6A1 25557 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_18_off000967dc.bin
4a09a35964e5227b079100dac9aef6379c5a64baf20119818c607b690b76ef97		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x967DC 26954 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_19_off0009dbc2.bin
6dcf3c7e5b3f93ed783661b39050bd7a3d4d22968c8ad3db628215df8a9feb80		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x9DBC2 19372 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_20_off000a2ce5.bin
1e09fd3c5af7ccbe7fe4abcaa8980ff72fa12275affef8c9d8ef41601cfaecae		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xA2CE5 8305 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.