MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1566.003 Phishing: Spearphishing Attachment
T1204.002 Malicious File: Malicious PDF
The file is a PDF document identified as malicious. The presence of a JBIG2Decode filter firing, combined with duplicate object bodies, suggests an attempt to exploit PDF parsing vulnerabilities. While no specific exploit code or payload delivery mechanism was directly extracted, the nature of the heuristics points towards a malicious PDF designed to exploit a viewer vulnerability. The file hash is provided as a primary IOC.
Machine Learning
- Nyx PDF Classifier clean score 0.0005
Heuristics 2
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off0000dd33.binc790e8e2bb83e76dfe0c398fd0ba4d235926337a76982aad0c7a31a72f51cd25 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xDD33 | 402 bytes |
font_00_cff_off00006626.bin22ae70d0281ea773514fa0d6535678c16c49d8ca191aa9607f4639c40b808da4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x6626 | 39460 bytes |
font_01_sfnt_off0000e627.bin222dee56e2b6e0e2c382e8d0c623fe433f89c69fb5aad0ebc8cb41ae900cede3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0xE627 | 15452 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.