MALICIOUS
64
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
T1059.003 Windows Command Shell
The PDF file is encrypted and contains JavaScript, which is a common technique to obfuscate malicious content and bypass static analysis. The presence of JBIG2 encoded streams and the 'PDF_ENCRYPTED_WITH_JS' heuristic strongly suggest that the PDF is designed to deliver a secondary payload. The document body is unreadable, but the heuristics indicate a lure document, likely intended to trick the user into executing embedded malicious code.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3546
Heuristics 4
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off00002043.binf8fbb29a9a8a101ef1fdde1229e81e7fd70e78e092e5cf248991577ce4a62488 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2043 | 11578 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_01_off00006332.bind3aee79034364d355d2b776a7b24d7b99823128ce920416e1e39ed7f57470e36 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6332 | 18564 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_02_off0000aed7.bin446123b7dce25b1a57c785843ddddd3d58bf12cd7c20e2a68301ef357e2015fc |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAED7 | 5200 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_03_off0000c501.bina40a70b7850260aab30364bdcf669c91adfd4f74a5bccf01859c5c827d327ca8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC501 | 7021 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_04_off0000e656.bin6bfc216819c779df935b3fba05148160d4cee4895e2ed5905c5083593e083f33 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE656 | 8882 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_05_off00010c05.binf79e189252bb8a31dc4544c1bedaa34711db021cae02b36bc2a4f415123dd28e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x10C05 | 5180 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_06_off00012206.bina8120e232106b95ed95340a1975d694fa74542175e1a9aef1816f1e6738956ad |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x12206 | 5080 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_07_off00013913.bin1a18e4d34e70fc02c90eb342fd34e1a8370fbeb973d8c24942909099dac46c43 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x13913 | 6850 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_08_off000156ad.bin34de7a5ce6884da4aedd351ab524fe4ac1d8854c19efb1a4071bc08942984234 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x156AD | 8723 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_09_off00017a9f.bind989a0ca8773be8e6a1980d747bf3d25323537f06e4b127e8fadc16f01c8dd28 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x17A9F | 11667 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_10_off0001ac5c.bin2bae25fc8e49bea70d887da1f9a2428319039599ceb613c980102dc08b1fff8f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1AC5C | 11106 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_11_off0001dee5.bin8c958392f518921cc5432a63236cba6653c3b75622c68755b97061ee16cc4af2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1DEE5 | 8561 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_12_off00020817.bin3f608326a5a4491c17f897ccc602fedeb93ee95e754ad7f7d81e8817f36e3306 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x20817 | 10347 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_13_off00023573.bin0e22b1916b4ceb3dc180a9af01847f451a26fbe7f64f855715c5fd4931637b20 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x23573 | 6590 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_14_off000254d2.bin805786d75aa20e1fa96b3a3b0ff22b669e72b2a1ba00dd6eed1be29ed57b3871 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x254D2 | 7237 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_15_off000275c8.bin8dcf2905e0862f4581ee00b19609a65eaa776394004b01e51716ac4db45a69df |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x275C8 | 8217 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_16_off00029df9.binff680e9d3b80fe59fcee8ae00a43faa125cd8d0ab8d85377bc4ecf91cc12c482 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x29DF9 | 7306 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_17_off0002beb5.bin1e1f8968cd1d8f7b3adc657268ebe6365b0ceb6f405491252de7e04f5453c9ab |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2BEB5 | 8143 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_18_off0002e4d7.bin80c7693051173773791262ae492838f6bd017c26de190f37dfb63689fbf55e3d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2E4D7 | 8965 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_19_off00030d08.bin7dc4b65a6bdb543107329904d9857f997cffb39668edc7d78cedc23ba1688db2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x30D08 | 8951 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_20_off00033cc2.bin14ff6027e64a01dcc682e10b92612b22a9d55ff01006b9274d17440ab2b8a8b5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x33CC2 | 9917 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_21_off00038041.bin3cbd6ad1713895d2ef9e00bc06475694bf90b4f4d79279ad4d0f2ef9758ce0dd |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x38041 | 24150 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off0003e83e.bin5883818cbefc0c2c5fc54147a573522882b5dba75b1c2f733240eff86b264ada |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3E83E | 8275 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_23_off00041211.bin4c95dac068ecab8b47c991f17ddd2581af58035dc4ffb1ea0b7ee0b363d02667 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x41211 | 8323 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_24_off000446cc.bin2283f552058a1e51046c0c4aeaade87c53d0e594a6d5cb2f5ce89872429da31d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x446CC | 18726 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_25_off00049dc9.bind9f1738740c34ea15227aeb55be587b040b60fefe1bc3e57c127d7d6b2d049bb |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x49DC9 | 12599 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off0004ebb6.bin6ad8e0ce9424a94760ba21bcdbacfa4930e017c42b618c73dd75fdc592c56752 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4EBB6 | 24441 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_27_off00055bbc.bin6935d88841a411bdaeb57c2294ecd8a29433c1f93996552cb449075e36a1f75c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x55BBC | 15063 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_28_off0005ac1e.bin0e0c8e745f63dc4d77813d98fbef00076159829323e59d217a4f8b35b8c9876c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5AC1E | 15883 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off0005f00d.bin51408f5c0eebb0f10b25ed63abf541af776242f860174bda217b7a10fbf57126 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5F00D | 5162 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_30_off000606e4.bin7b26a9baa3877a86905beaae89b0600b413d045bfaa29c340a2d3969985e9809 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x606E4 | 6930 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_31_off00062883.binbee208f87bba418b39a3a25c3eb1632967897990177e659b75e8926e6545a78c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x62883 | 6238 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.