PDF malware analysis — malicious · 6271260b37910c23

MALICIOUS

PDF

6.32 MB Created: òo=²W®¢ö@s5ëûÕ^ Authoring application: ÷1`KËÃQÝþó±Xu( (via ÷1`KËÃQÝþó±Xu(û×Nµ©3¸EyÐ#Lo+¦)

MD5: 0a2ee80e202372d5b77321c933186d2e SHA-1: 6c7ba1bb605616d0e44bbb06a37381f22ded1907 SHA-256: 6271260b37910c2323b53d2057da27d4b9a2cc394ed53b449d2cfcc1126a40ff

132 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1055.001 Process Injection T1140 Deobfuscate/Decode Files or Information

This PDF sample is heavily obfuscated and encrypted, with its malicious payload hidden via an /OpenAction. The presence of numerous streams and JBIG2 encoded images suggests an attempt to conceal malicious content. The ML classifier also flagged this as malicious. The exact nature of the payload is obscured, but the techniques used indicate a downloader or exploit delivery mechanism.

Machine Learning

Nyx PDF Classifier malicious score 0.6695

Heuristics 5

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`jbig2_00_off0000f333.bin` `a040a2c5b7a73252faedd51284b447a0f1c08d5e4ee0eccbc83909f5974fb61e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xF333	12398 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_01_off00014838.bin` `b11431c2f34b837fdd5df036bf742d3b145d25a5014094361104a0280221df4f`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x14838	4134 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.95, consistent with packed or encrypted content.
`jbig2_02_off00018173.bin` `0a67e25e810a335232e4bed7b764c43d56728854c25b883587b93088c65f3c0d`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x18173	5117 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_03_off0001bd1a.bin` `f930cb3611227afbba91e74e5de7717d2de96e398f89d6e221ddf1f7e62c95d6`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1BD1A	6889 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_04_off0002040a.bin` `44c9b90dc25129b0cb3bd84987a95c2212a2774fbb6ebf90f29551f50cd21815`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2040A	6782 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_05_off00024900.bin` `db410d661b89075e8e934a826ee0fc24ee273144e8a4cecd02e1aeda37c10517`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x24900	5482 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_06_off00028786.bin` `6e5999272d37fe2342affa02906e07800493372390473673309e1c4e7a06ec3d`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x28786	7542 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_07_off0002ca2b.bin` `820987559d180e664c8593bb5a9046d156d55b14fe035b9d19bce91c5fdc6a06`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2CA2B	3670 bytes
`jbig2_08_off0002f9d6.bin` `2c530dbc5c502c5e476a6ccd6ee06f55f3808287a545817e953997d30e8b28e9`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2F9D6	2552 bytes
`jbig2_09_off000330fd.bin` `463e5e86600139b325c7ca296580df6f0bd8cc3ec26ece60b62303d2a352d0e3`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x330FD	8143 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_10_off00038404.bin` `fe3255f28afbcdf7b1d984967fb73b5ac654b4b91830f4bd7b79c17cec38b1f2`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x38404	9577 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_11_off0003daac.bin` `757da34308392f02211baa76da34f25523999b200f75bc33e37aea46285c4fcd`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x3DAAC	8913 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_12_off00043215.bin` `89910f2b927c67ff2db7c9bdc3b36b0557d6a0be014b7d07d9032d589f796686`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x43215	11051 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_13_off00049002.bin` `38ba21777f91978762832e448b94dd8e5477adfe131aede6c05475ca85c23946`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x49002	9903 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_14_off0004ed38.bin` `d109bbab924eb03a4457e5f665a1fba2b5209f50d955ec2bd36f47b108176711`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x4ED38	10770 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_15_off00054afc.bin` `b21ed670339ed264aeb7adc2b2e0c9881951bf856e601943bac3e0539c493572`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x54AFC	10466 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_16_off000596f7.bin` `2424993195486815615cc2e72e98b86cd810457279c99a25bad6987ce708c6a0`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x596F7	3441 bytes
`jbig2_17_off0005d164.bin` `d712d4e8c19815818ee043aedfbccc040ff55b00ae89ae7b42e16df2c200c3b7`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x5D164	8124 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_18_off00065c69.bin` `502f6c05a9d0e1df8fc9638f78772f91e813adfe479a38ef21dac125761e45d7`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x65C69	22360 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_19_off0007201b.bin` `04707a58ec227ef1e1ded247fa7e5f9d9958772daa497e041be260db25c79caa`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x7201B	22754 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_20_off0007ac8a.bin` `385db43ff5ff330b2b9326b5b3905b18477ad53378f3d6cee978d30a9be648bc`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x7AC8A	9149 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_21_off0007fb18.bin` `3ce66797938cdf9cd8d8f69d6089c18940c83d1e735bb043fbf43169b515bac4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x7FB18	8159 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_22_off00084a6b.bin` `8ec3dd744e358d3467e5f8bf5e4a068425684cd43dc61e7ef6c4df62bf7595d0`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x84A6B	7896 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_23_off0008c482.bin` `69f19595d6e02a8e59c03f178c4b9b7d9c688857a870cd07c82e3aa2e8171422`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x8C482	14517 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_24_off00095b90.bin` `dbb4a0121f9115bf53fe57ddbbf81c02a83d119ba88ad5c909ee839d37c41af2`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x95B90	24123 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_25_off000a0348.bin` `8a5fab682839145cbfb4765d4fe4542dd21e7fc3a2fb0fbc1b2e3bb0b226f6dc`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xA0348	23140 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_26_off000ac48b.bin` `3ba1f633f03562b652a6572bec658db36c5091f96ca97ee457f188629e3e6b40`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xAC48B	34003 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_27_off000bd069.bin` `b825dcf422c9fb92553e9b52c5abf1ac9c53f1ad47055da382fe68a219eb86d0`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xBD069	20602 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_28_off000c5cce.bin` `bee3dec4f9aacf5fc7b29979af7e021ef9e7d18749eb309845c5371e9a7173d8`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xC5CCE	14426 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_29_off000cc186.bin` `b090217e66eb8729de5fcd8d5a96bfbb96f29c3ecbb886b374c8650e1aa5d27c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xCC186	12414 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_30_off000d22cc.bin` `a3c9064372e80af18b093583b8fa5dee5cb89b5f07aec8e32d5be1ba8fdf4937`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xD22CC	9026 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_31_off000da1c5.bin` `260c031d81e59af481e1e2fd95557deca0752bea3245f5826f531ba8a1122fbe`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xDA1C5	23232 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.