MALICIOUS
82
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File: User Execution
T1566.002 Phishing: Spearphishing Attachment
The PDF file exhibits characteristics indicative of exploitation, specifically the presence of JPXDecode filter and a high stream count, which are associated with CVE-2018-4990. The embedded JBIG2 streams are also flagged as suspicious. While no scripts were extracted, the combination of these PDF-specific heuristics strongly suggests an exploit attempt to download and execute a secondary payload.
Machine Learning
- Nyx PDF Classifier clean score 0.2027
Heuristics 4
-
JPXDecode + active content — JPEG2000 CVE-family indicator high PDF_JPX_CVE_2018_4990_RELATEDPDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off00008f8b.bin15399be09f78daced109bd6d982bf90b92983a97f9f565642f5314e8fbcec07b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8F8B | 2260 bytes |
jbig2_01_off0000ac6b.bin7e165ef60f56f46392482c5e0fc5828ee894ee50157b9513eba3ac8237b5a748 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAC6B | 2796 bytes |
jbig2_02_off0000d109.binbbd254a470147ccc6562cca4f4ce1258f6530ab7cec72494e38a86a339fa1a46 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD109 | 5874 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_03_off0000ff76.bin4a46d44dec6f543f2c1ae2879d896305e0ebeca1b94c3f2fffd7f20508f760ef |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xFF76 | 17968 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_04_off00016b21.binc95edc2fd9a7965fa60487ead20b1c7589caacf9c2990aba4157c81850777815 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x16B21 | 17768 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off0001d444.bin29138f01503631c6a0167fcbcc9021c948bf16c1f954a6a5ef8178aef5163e3f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1D444 | 19265 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off00024952.binc6474f893b2e2f7e3e487118df3c9480a87420360a54b3575b04c67c4e1f426a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x24952 | 19764 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_07_off0002bfb2.bin19813f21094c7b955529d3b9da02cccffd8f6674e1e160fd14497d5c6cf3c674 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2BFB2 | 19802 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off00033676.bina533b2c62e93288bc7151af677de838ebc2341a3375e788624fdb2ef3e025c67 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x33676 | 18956 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off0003a898.binaf3291a280761b45053dd81d299538e6c58234ef912c8acee006cd4e4c52241c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3A898 | 19363 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_10_off00041cd4.bina02df1b9a64d3d3b0ad841e0d7b2c1f9a85da2955c065558e5822ffe056a7128 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x41CD4 | 16530 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_11_off000484df.bin50e9079e46e4f154dfeb745f995ff00d48e28a8cd461403ffce51dc3cc61733c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x484DF | 16286 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_12_off0004e80d.bin52bf0035b01ab5b4303264a7fead35cb12eb97479d086a17025775e6ce877d52 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4E80D | 19176 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off00055cde.bin9fc24904faa382f496f13f959b02a2ac77d4dfa29721df94139e6b1b1148b521 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x55CDE | 22082 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off0005dc51.bin35f7d619c8f53e19f1e7e7de071be22bd8b7091063dd0fc1e55a686148299f16 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5DC51 | 20916 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_15_off000658a9.bin29f5431b0c78d163ecdc50979fc865570988a90c4e3fbc6e44dd51738c82c80c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x658A9 | 23659 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_16_off0006dd2b.bin160756e3193792354cafa8f6f3b9635dbb694e1741ae770de111d9f638440782 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6DD2B | 17378 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off000746eb.bind1ac6e4301c97e2d5d521cead23491efbcafec31d25ec6aabc2149eaff8840fe |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x746EB | 19344 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_18_off0007bb0f.bin0ec5d5e42f590ae7d6563dc47dc4e44ff46857daa86fc5cb2ca91d2a4e467681 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x7BB0F | 17839 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_19_off0008278c.bincd39a678898ad31d2b2061b7fa5f1bf7f4eac7485887a7108ddb7be49dbd5e7b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8278C | 18389 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_20_off0008973f.bin1ad1f6357b52c56b36e13132c62b0a95993d0ef3a7a3a40709d1130d75d832ed |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8973F | 26611 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off00092961.bindcba6c0ce77fd802d602d12d2368421283b5c4cc4c790002ee44117b6b569755 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x92961 | 20075 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off0009a011.bin3142568857cdf2b20261cce52447170611675c19e312138a4ec3cfbb6d1aeda9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x9A011 | 18068 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off000a0d0f.binab10666aaa9f9dfd16febe0e940f01edc4c34010a94c73cfdf38d1bfd5246470 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA0D0F | 19742 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_24_off000a8197.binc3d6b5bc895ca96c0213808caf125364368394222f20ab2756258ab438d41a8f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA8197 | 19135 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_25_off000af427.bin167cfd2a7be79947d9ca01d56336e2307f682f1fea3661e07a3d123745e45753 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAF427 | 19572 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off000b6476.bince28e546d7e11707cbbc82c4941d81d843ba28828391fdcb76ca0dbf2066b192 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB6476 | 14067 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_27_off000bbd06.bin2248fbf539098ae819874b097e7c9393b5a3bd204df5140af4debefb36044c05 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBBD06 | 13769 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_28_off000c13ed.bin39fe399475cdacbb23699c1a15812e9b52bd1c3e45ece53ce26899be476c4607 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC13ED | 15652 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_29_off000c72fd.bin492590abb5839cda799f59d0d8099dfb3d58f2876dd7c4a6b45d7de81d844177 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC72FD | 15652 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_30_off000cd2ce.bin8db7453fca99c25b8ded577712b430c965eecb244d1ce88a96a4f5df2252fe15 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCD2CE | 17461 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off000d4193.bincce53b226335fba47288f786a1fc7324d0ca31e311209465fe06ba7203ef05aa |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD4193 | 19308 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.