Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e7d514c9893935c…

MALICIOUS

PDF

22.73 MB
MD5: 7cd3ce6527969cf028d84564b6047215 SHA-1: 98a085868e53f49fd3d19ce99ad0bf08e344ce3e SHA-256: 6e7d514c9893935c2db89eb893de3303e971b7461a2ca635025a9d1b9fb75e2d
138 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF is heavily obfuscated and encrypted, with heuristics indicating the presence of JavaScript and an /OpenAction trigger designed to hide the payload from static analysis. The ML classifier also flagged it as malicious. The combination of encryption, JavaScript, and obfuscation techniques suggests a deliberate attempt to conceal a malicious payload, likely delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6128

Heuristics 5

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off000193f8.bin
200028450b32c9a14ddd663693887922fb0ea841ef2e30412942034693943cd1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x193F8 440 bytes
jbig2_01_off0001b3a7.bin
8d91234e6556843f86c3e08433b31e5badfc9e52f57a149363bf7c0510c3f839		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1B3A7 373 bytes
jbig2_02_off0001e872.bin
b2fbb48ddb845708724c955c4ba558c0e0f1c12f24b0a84a5a20769dad84c491		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1E872 2472 bytes
jbig2_03_off0001f2b7.bin
82a5e8ff3b7d8a3ea8fe4b18fa2be7358795e2e5d4f151fe9e49bbef8ea8053b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1F2B7 117 bytes
jbig2_04_off0001f3ca.bin
d5c59a2ef84c1c3522e644597d76a9a4c40675f1a7a3f54a1ee501a253637d44		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1F3CA 687 bytes
jbig2_05_off0001f716.bin
9d86bfd0d4f18d9a329c8c2df50cc0deb2fbdec4a9ed9f7cf69a12207b474dc9		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1F716 105 bytes
jbig2_06_off00023de1.bin
64d7127880454afe69f691837991e879672ac9b278604ea0b8f710b718ac9023		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x23DE1 448 bytes
jbig2_07_off0002bd6e.bin
007dd153866e0a09c01c0be618765fa1ed7927f8e1e0a2b215034e60354fd4c1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2BD6E 402 bytes
jbig2_08_off00031c41.bin
5985519c4b5c0b32e195b85a0685238b2adc963c598fdf4eb91d168e44f8937a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x31C41 391 bytes
jbig2_09_off00031e65.bin
a6eefeab66e56b7265ad66007a3cc636eec8678bac81260ce0636cefa13a3814		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x31E65 178 bytes
jbig2_10_off00031fb6.bin
c44238a78f3191c1d81d67c232ef89940542cdd444a7e64deb023de5819ce055		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x31FB6 802 bytes
jbig2_11_off00032376.bin
b05c14f8437f2cbde41656cd078ca07bad79dc210159d535827ad0a1d36ccb40		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x32376 441 bytes
jbig2_12_off000325cd.bin
2a8a6dad720e88ecb115969b52d6a414c852f9fa421713ffe0d21eeace80a666		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x325CD 312 bytes
jbig2_13_off000327a4.bin
55776605c515501a3e093db714cab05c6da0afe531fc8767367e78cb40e54d9b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x327A4 479 bytes
jbig2_14_off00032a20.bin
ea62badf0e9983e4fe19aa31039f31d5add8e2cb159f72c627ae4fdab5303424		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x32A20 158 bytes
jbig2_15_off000384a3.bin
b425ef29506eb49f0cf671c25acfad71fed4a37d9e2c644f9c7eb49d5c23e316		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x384A3 1054 bytes
jbig2_16_off0003895e.bin
3fb875b174ca8bc25f495ad496940e2093db15969805c544e8eae2ec220ad038		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3895E 143 bytes
jbig2_17_off00038a8a.bin
f13b7df3c6d07d06363c25db30b94198d7ab9a5d492e0d6dbc86606d515dfd7e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x38A8A 109 bytes
jbig2_18_off00038b94.bin
7ff713416d85f316cfe5ceec1895aad5539d7def21d4ab4b288ce770a74e439d		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x38B94 194 bytes
jbig2_19_off00038cf4.bin
2a795e13a810dba728cab2a85ffc92ffeb499eb373942880e5c4fbae513d1bbc		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x38CF4 371 bytes
jbig2_20_off00038f05.bin
8c01c1237f8655e5caa84d111c77314ebbcc0c4306d9f94204badf70b364d725		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x38F05 165 bytes
jbig2_21_off00039049.bin
7031538065c45a5e8b63b42aa230b149a8e4981fd4eb53ab74f660aebaaa641c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39049 795 bytes
jbig2_22_off00039402.bin
380e370399f5e588a345c88a83fe5fdf95e1d3d447c839ca2113a1dab0bcf021		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39402 402 bytes
jbig2_23_off00039632.bin
c4e9fcdf3cc176034e3933a7c177be623101a3bd8512259882cc856192e32701		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39632 279 bytes
jbig2_24_off000397e7.bin
7d2a5fc39a0c61c2f1af46e3ade769d706b00cd6714f7c3552958c8f02908437		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x397E7 385 bytes
jbig2_25_off00039a08.bin
9432898caff2bb8b481fcc322ebbd8f22d1b0b54fc12bd904e87233b393a1bf4		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x39A08 1619 bytes
jbig2_26_off0003a0fa.bin
358acdcc92f4ddc9f423732231e9ac5f076aed989c6e2590dba2405a181a795f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3A0FA 749 bytes
jbig2_27_off0003a487.bin
8f648d3a1a65b48ced3d27de4d43fbea92b1d64e4de91efcb6839a8409a7d923		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3A487 1615 bytes
jbig2_28_off0003ab74.bin
fb381be50409b4f44b2eb44cf99688b10989c3fe2b2da05f515318cf7a51610b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3AB74 438 bytes
jbig2_29_off0003adc9.bin
5d3d98be4195187120e7fc2042c76e52f21b20e93367b1ea911e7dc0751ead27		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3ADC9 551 bytes
jbig2_30_off0003b08d.bin
06f88f4ae9d7a88b771311ea925025898a4eb816cca8fec5550469f623c8c1cc		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3B08D 198 bytes
jbig2_31_off000433f3.bin
136357776a64a2cf1f275127ef52fe9911e9b6145fd50b1e4cf7fd3dc73d008a		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x433F3 492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.