Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cf28c008f63e82d…

MALICIOUS

PDF

7.21 MB Created: 2007-02-25 12:35:50 +03:00 Authoring application: Adobe Acrobat 7.0 (via Adobe Acrobat 7.0 Image Conversion Plug-in)
MD5: e220efe11915c32d3c0a5bb65d16e223 SHA-1: 8c5b66e6eabd04b94a5e5ade06a8d3a34b88bac4 SHA-256: 4cf28c008f63e82d6313196836993a6db2ed70f24526d71931eaf13ad484b2d6
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file exhibits characteristics of a malicious document, including a high stream count and the use of JBIG2 encoding for embedded images, which can be used for obfuscation. The ML classifier also flagged this PDF as malicious. While no specific malicious URLs or scripts were directly extracted, the PDF structure and heuristics suggest it's designed to deliver a payload, likely through the embedded images or a launch action. The benign URLs present are standard PDF metadata namespaces.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7541

Heuristics 6

  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Launch action low PDF_LAUNCH
    PDF contains a /Launch action; all filespec targets are document files (cross-PDF navigation pattern, common in multi-part document bundles)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off00000ae4.bin
2cae6da612fab0a66abe6c27fb25b6fbcba22093fc663b706d2cc53a3610e45e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xAE4 16320 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_01_off00004ff2.bin
1502da472ea9ef1ef1fc905d3eef8fa0c1942c74bd15acd4db76291cec7d63af		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4FF2 16879 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_02_off00009403.bin
a29ed76ce6185d0f51eae4f3a4dee841dae9115589a06034a2f36f931a552240		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x9403 15173 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_03_off0000d16b.bin
cfa87fae4c9c3f09c824b12803d42244703d7d0ad390ba54e1e49f8471aa7d7b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xD16B 12556 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_04_off0001049e.bin
093bedd6db68e22719b9202684c7f25545e089bfa268f15851ea20cafbff9cc1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1049E 16771 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_05_off00014846.bin
16e5747cb5ab1f45897161a5f12a9e6254d5a45997cf80938a4837749efcea95		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x14846 14464 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_06_off000182ee.bin
16b9442dcf461511ba08e87cfdd8202c967dd0bc9081c4a64bcf89910d4378bc		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x182EE 15317 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_07_off0001c0e9.bin
b20093f1f4caa110732d6cf32ccdcb3546ae8f5ae255c8c7ec20686f64d20bd0		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1C0E9 15265 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_08_off0001feb0.bin
4a83d8b5b27a4c9233bfb742b7fc48834c8792581b136b7bf1f1086811ebe829		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1FEB0 16950 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_09_off0002430f.bin
ac7afb6a66871664c63f12bb994bd2813b8df4c88c1a5d13fd9816bf35f8122b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2430F 12599 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_10_off00027670.bin
45e30a7f876b6d8098f6af84090c2f0653897820521ebbdad22153b26b91c327		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x27670 17990 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_11_off0002bedd.bin
d0a9c124ccad8b8a500a4ed99230db0c07e669ce089b50568a9fd98050b54926		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2BEDD 13564 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_12_off0002f602.bin
392d5d3504eefb3d9ac544bccf5fe3a1a1a67f6b819f85c7289eb4af2645ddca		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2F602 14991 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_13_off000332ba.bin
2a215e2f784f6e0ebcb87838c626119281132d386d4c20d4b40716b6081a134c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x332BA 13862 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_14_off00036b09.bin
ada5857c20e0f20c1b688f7de563aa2a3cc44f1eb8d68977e3b43885e38c4a8f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x36B09 18024 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_15_off0003b39a.bin
c235f3c3c12ee1258c93dff42b7ad4843754235c6abf5044535da6be5752f41e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3B39A 16264 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_16_off0003f547.bin
321bcf2b687bd9bb15e9f0d4b2d15311dd0a0c2bde48a7e42a623b93266c4157		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3F547 17020 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_17_off000439eb.bin
27b5447c6f51916b36154e892627679b6f6aacba812b3aea8f1ab96b46e8fd00		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x439EB 17850 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_18_off000481cb.bin
bc94ad2295757acf63b3eb2fac74c05d5a75c991d4645c3b014182e7b7679129		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x481CB 14883 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_19_off0004be14.bin
1834595f8e0678366aade79d36309421d6f67d988864dab18e6293d0d1d72cdf		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4BE14 17521 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_20_off000504ae.bin
741e8d0c3336632a739aeded4f07cd0772df915900f026aab9153b5080c0e534		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x504AE 17478 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_21_off00054b1e.bin
39905a96576cc9d9e0052a8fa3a8a6794e9fbaae360cd1558942f159b60cec7d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x54B1E 19088 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_22_off000597d5.bin
a5f42a5a2c2d5b24982bce5a480d6ab04189f2cdf4da55aa1459b1d97284d6e8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x597D5 17347 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_23_off0005ddbe.bin
889c3d2d0d71536b1a1590aa9ff44f704afc6594f0efd3d4804ae91d8aef526e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5DDBE 18538 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_24_off0006284e.bin
408cfadce44c3073b1423c5bc23e6040a63121686bc48a2d5ad9b152ae069f4c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6284E 20671 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_25_off00067b37.bin
ee209784e77e7a0a08d23f73aefb93826931fc5677dbb23537c89cd409959d5b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x67B37 17840 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_26_off0006c311.bin
8944f385b94ff38bce19d0bd30559b34a4a8a704c0026527ce352c07b7324ae9		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6C311 15815 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_27_off00070301.bin
aba473e72f3a66514ca5d28ce0604954e8a8218e49afa5ac3adfe8a0499be678		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x70301 13862 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_28_off00073b48.bin
0293a12de2ad66946d0c04bcc0a3280efbe39d2d82f696f11b1ae2b5358ee4dc		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x73B48 12907 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_29_off00076fd4.bin
277bb9379b798f463fa2ad95edebecaf6cc4b88464fd5e2f0b69909018a547a8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x76FD4 13770 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_30_off0007a7c8.bin
4f7509ef60b29f5ac853e0dcba7622abe54a86cf41529e8526032ea1eec2ba9f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x7A7C8 15294 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_31_off0007e5b0.bin
12342eace62a51edb55be9173a3e72550bdc343b8ec51614b574165adcca042d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x7E5B0 17822 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.