Malicious PDF — malware analysis report

Static analysis result for SHA-256 56ae773b36b51fec…

MALICIOUS

PDF

944.7 KB Created: CËuËt“?¥®OWo]¸ï´E. Authoring application: F•(™!ŠNNæAÞÿOk@¥ (via F•(™!ŠNNæAÞÿOk@¥ÿÒBJ{uò 5 ÷F P)lÏPx )
MD5: 05e373e4e00d52c742c116d363d7517e SHA-1: d5b47b429a012dc277f3ce9ee47f6b9004698275 SHA-256: 56ae773b36b51fece813a21add7329d65491159fbb6efeb6a2e9b7db6b0e5b3d
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF file is flagged as malicious due to the presence of embedded JavaScript and encryption, which are used to conceal its true payload. The PDF also contains images but no readable text, suggesting a lure to trick the user into interacting with the document. The embedded JavaScript and encrypted content indicate an attempt to obfuscate malicious activity, likely for initial access or to download a second-stage payload.

Heuristics 6

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 30

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off000022c9.bin
949eeb86270faae01a7d4b661de569e8d4dc84096777d0d8f2810819aa3bb9bd		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x22C9 16789 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_01_off000340b0.bin
0695bc4476e738d19588a67fce50d70ddaade788c133c6a8afdcb416d6a67e1c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x340B0 19980 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_02_off0003a039.bin
c1dc8c71de4fc1a23799f617a2111b92708b4abd9e0d25a44c054721e6e45c9f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3A039 19782 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_03_off0004016d.bin
106e1f29219d9b5c4dc36c0a614e891f7b2a11007eb08b633f8df217894724cd		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4016D 20174 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_04_off00046252.bin
aebbfaea2b74aeadcb9740f3396f0c34341feeb3a88f4354e6f5447b38abbc3e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x46252 19383 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_05_off0004c30b.bin
46161f676d1c9ff2017fc4bb628058d1c1f42d7175b7a54036abf06d4a06c4aa		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4C30B 21651 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_06_off0005324b.bin
c0edb31cd191acaf6fc29820ee613c782538277df633986056c41a720867d09d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x5324B 21915 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_07_off00059bdb.bin
46a4d031797c40ad5ab14b5667854cd33a94a39963eec9261c547c07cd98c2ca		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x59BDB 19662 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_08_off0006004d.bin
57b4f13d7d75e224440804f5b5be2b4b3786663e9f23e2f31765e95f2091d5a1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6004D 21946 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_09_off00066a77.bin
ffbc89f0969918b637a0a0ba33b6871a2d7832b6759ddc4370b374875a4966e3		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x66A77 20881 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_10_off0006cc88.bin
802f0ea302a00eba27ed0a4b0bd675cbc0e93221b769284f492f62488416f55d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x6CC88 18554 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_11_off000726b7.bin
edc11ca3f18939c3b519207ee32eacba1b0133771b6d03785d62b864acd47af4		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x726B7 20476 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_12_off00079417.bin
eeb1c34725cd81fcdc8a32d644a69520c5ddd1349b4280796925cf95b4ea1246		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x79417 24638 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_13_off000807a5.bin
23aed8883cda10e806ca7e9e90de69d9b544080d42c0bb6418bca33e10ccf857		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x807A5 19950 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_14_off00086ca3.bin
fd754ff298c130cecc3e21bf5169c90a7f2977680cd6a083c260adda168c97cb		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x86CA3 21371 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_15_off0008d084.bin
31c7a40f0dffb38ce0718f3760164521c3004939c024876b03f41a4b8e0b5c0a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x8D084 18382 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_16_off00092b29.bin
11dcb2378fe26bd0a0d26ea7d57523ed8ab8faa65cc932e8672311edb0677d7b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x92B29 21107 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_17_off000999be.bin
9fc0853d51f219a23a61909a043ed7d00965ad142fd9995669975f02cc7c7e66		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x999BE 21538 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_18_off000a027c.bin
c2d7d3a40c368919d9826ea66949ebd37b6ea339a04d3e63a4fc5b981c369504		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xA027C 20291 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_19_off000a6657.bin
1c493a34a7106aa2eb9a0c609534b07f0f5996359416baf32326a54961e0ae8f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xA6657 20127 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_20_off000ac394.bin
60135ed4bda928aa8895607cfcb66f0a6a80d551da775fdf0b768c6bc525de77		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xAC394 18518 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_21_off000b206d.bin
c16bbeedd46b270bf8f53f67cc98a3d68ccb602a789ae05cc1081e97d294a450		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xB206D 21398 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_22_off000b8bf2.bin
bcf3094577fa1be6ad13e4ad34e482f37148c2658748adf2db6299ed5c481566		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xB8BF2 21543 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_23_off000bf0eb.bin
62917983e410c5622fe54256220dd2d91ee59257e701d1b6930c8e7056c641f8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xBF0EB 18759 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_24_off000c4db5.bin
0ffb3131585030fdd9066a1b50dd5b029151d23bd7b77ca7d08e7803f2cf1dda		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xC4DB5 19878 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_25_off000cb078.bin
93f644efc91974104e733e9c2ecb624f0ac2c8d2fbec5b79b94e921dac82aec5		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xCB078 20085 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_26_off000d1244.bin
ca12a150ef4615c0f449ae4624dc991bf6e94816d0ff11d87e766378b52e7bc8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xD1244 20275 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_27_off000d72f6.bin
f1aaab0059ac3bb889599fcd3848575e9ec58a90344c309650782641463da75f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xD72F6 20766 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_28_off000dd721.bin
000b4df0451a1b6487a4d0719d19af28d4058762976719de3b74e200db03e80d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xDD721 21068 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_29_off000e33f2.bin
c7d774577f64193d6ea5f2cb71c70f3d306581738add472af870c7fe1378df5b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xE33F2 10778 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.