MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
The primary heuristic indicates this PDF is designed as an advance-fee scam, employing common lures such as lotteries, prizes, and parcel delivery requirements. The high stream count and embedded JBIG2 streams suggest obfuscation techniques were used to hide the malicious content. No scripts were extracted, and all URLs were confirmed benign, limiting further analysis of execution vectors.
Machine Learning
- Nyx PDF Classifier clean score 0.0021
Heuristics 6
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTALThe same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off0001fdb3.bin3a30287acffad170e100848cb4712f705abfe473a7f2cdd71416bc9082174167 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1FDB3 | 3904 bytes |
jbig2_01_off0003736a.bind29bf5d3e626f0753e6b37c689d1cafebba0ce1460949b6719e5c69fc3cc7926 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3736A | 22452 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_02_off000407e8.binfed0d1c442ca9ad1453d5281829c72622dc7a8da8394bbed0bfbd34966526ab8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x407E8 | 38738 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_03_off00049fe2.bindc0a23b80ce36f9aa093331a843a8963b262d0193d7a7913687d98f2e1d9b4d6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x49FE2 | 31107 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_04_off0005366c.binbc543aad60d3ebfc66f845b203bcfc6594835e22d1cd65fd49ea888740496729 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5366C | 30850 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off0005af96.bin1fdebdf24c48169462d1043739ed4063738e438c7bfd569902df6ba3944a0d16 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5AF96 | 35212 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off00066cbe.bin8e90a3d1b1034487abf6188b49408bae1a7cea4f0fb28a7058d413a919f7fe9a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x66CBE | 35191 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_07_off000732bd.bin5928769fa7ef5c64ad44ec33b902335e7ebd79c43643967b235119966cf36ec3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x732BD | 24915 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off0007a364.bin2b3bc5187cbb4ad026628ab662cba24ccc5d27b6cdb665da1989e600321aabba |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x7A364 | 30137 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off00087368.bin3296118064f369fb28bcddd7b6eb8eae5492568b5275f89cc06aa8b6af3079f5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x87368 | 41914 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_10_off000989f1.bin533eeea7fa7859526039f8f6869d3a6a9d4dad30109e8021cc8de6d7f6c850e6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x989F1 | 34369 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off000a2f58.bince4c77e31baf7b23723c8dbc0579c7e9838d084dcca06f71e5a421c9c699adbe |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA2F58 | 35854 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_12_off000ac9c3.bincbd878112c39eb1d786d7b1d4a83caccdcc73122cc3d32715cc7dfbad6a8786e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAC9C3 | 30902 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off000b4fe7.bine0703499ac1558c4b5f5cc58041eca2d654805de58b8caa594432c5a11bef0a9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB4FE7 | 31504 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off000bf6dc.binc34bab3b6c468402295a05b6b51ea26ce8b7e36c5eb515dc8e87f442621e618a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xBF6DC | 34949 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_15_off000d36c9.bin70d007d9fc0b664a14da5005e23f17ae74e271a5c3777eb191443767d2298ce0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD36C9 | 29854 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_16_off000db8b8.bine63204e13ae68cfeb44b71ff2c433fbdddfb888524dea7be36003962186f0c0b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xDB8B8 | 28816 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off000e5441.bine2c591a8f40848712444a5a4272f3127f9954f0ecefc52aedf05320d73db187b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE5441 | 13666 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_18_off000e990d.bin9e7ebd598c75d139d1b599eaef021564eb9898ee629fac7dc5c48cb5b955fbc3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE990D | 27767 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_19_off000f2b52.bin3c77fa2e6c3a4e7ba56ff81c106f9551bb98ed00dc32683d783d712b8e6e576d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF2B52 | 18395 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off000f7fe7.bin3da3ff71a63513f62ea984d30b7812cc961ddb7f80c227fc9d85bee313b4772b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF7FE7 | 22849 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off000ff350.bin528f619e61535268f162a39ca21bc2033a4816331c0f90127841d545a7a08f09 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xFF350 | 30095 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_22_off00109315.bina1934f28964dab7a111d978cd5c3e388c7721b1d46889d3c3bcc43ddeefa9a61 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x109315 | 20810 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off0010f2d1.bin26e7f8249f4498560da09dd395ec305dc8b3bb74fc58e86791576226c4a18c37 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x10F2D1 | 35362 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_24_off00119466.binee2e955b8dad58178e6a4208edff235b9f1140a9ffbdc5493382c6b3d03a9c13 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x119466 | 35731 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_25_off001220a2.bin2129c577356bf4602b9b93b6166bb8fe6e1f399ab573d0de242bfeaab0bac706 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1220A2 | 22062 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off00127e55.binbe288d787564daac3000e57ddccea56dd155927bd2aa32c63690c18513d3e30a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x127E55 | 20155 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_27_off0012d441.binde256425d392e3a7d828ccc8d5cf6805976fc437f4d470b771d838cc00cce58c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x12D441 | 20835 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_28_off00132e49.binadbc1bb5ef2afbabc142493ed21927b7dd5473d1e7463110bde83be8d30fe3c4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x132E49 | 22847 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off0013b6d0.bin2ca662ce631a8d05b7a971e5074ed1c11fed60ff489a622008f071b16c1351db |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x13B6D0 | 43642 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_30_off0014bda2.bin69b062bdcd3160ca5869d2a1819583c1de845b0f598739b9967a4e7e0ed86455 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x14BDA2 | 42684 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off00156507.bin9309c26fbc871b0791a34bf70421649c301a11b75571147dfcf7a42e785b0c5d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x156507 | 30055 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.