PDF malware analysis — malicious · 973acfbd7a8702fa

MALICIOUS

PDF

5.08 MB Created: 8±êää?$(r²ópJã&i[Rµ ÕÅ25¡»¼õ6¤,T ºù Authoring application: íçääÅÃlmxE¸b)o³¬ý&HÙÇ·Á©»ðãl (via íçääÅÃlmxE¸b)o³ ÚPéÄÓ.´YjÎéÂ°ØÙ½º§¬)

MD5: d3490888fdf48a6278f150a5b1b1861c SHA-1: c4a0bffd21d6967d62baa97baf474a18e2db2ddc SHA-256: 973acfbd7a8702fa9294dc4bb3b7635091dfaf287c373ed88516ebee317913e1

132 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript and is encrypted with an /OpenAction, indicating an attempt to hide malicious content. The presence of JBIG2Decode filters and JPXDecode, related to CVE-2018-4990, suggests an exploit attempt. The high stream count and numerous JBIG2 streams further point to obfuscation techniques. The document body is unreadable, but the heuristics strongly suggest a malicious PDF designed to exploit vulnerabilities.

Heuristics 7

JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED

PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
Unusually high stream count medium PDF_MANY_STREAMS

PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`jbig2_00_off0004eb07.bin` `78450f52c5ddfc328479c3dc740ccfbd088635bfd82c35d860b9d60f33d0e562`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x4EB07	3648 bytes
`jbig2_01_off0004fb6d.bin` `63d283740094fa49b9f33cbcd0c231b6b0a5db8c2c955370b357c972cb2ebf53`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x4FB6D	20848 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_02_off00054f03.bin` `42f4317a8edb16099e83742d6a79669aec69aa1623b5fea6fa9cf00860046972`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x54F03	15056 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_03_off00058bfb.bin` `d3d2b5056742476b186bdc5490135a26e529e0cab16b6c3f9c5cbb00366bc824`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x58BFB	48 bytes
`jbig2_04_off00058e55.bin` `761de03a5ea049aa42616f37bceff3534774b8aa0d00ee52f2a205c1a952cd02`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x58E55	6624 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_05_off0005aa60.bin` `f1b2739cd33e1be31845de8a3000d4c7d8439828b0a2b60de84fd768a8f07ce8`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x5AA60	12096 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_06_off0005dbcb.bin` `6823613dcaca761b5cc69e5b3c2845ae47a8736f7c9cbd01de21b8210f6d02e3`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x5DBCB	16544 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_07_off00061e96.bin` `143587ac6d0625f15da391f225656685407b71787239bb079609c850b5a83782`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x61E96	30768 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_08_off000698f1.bin` `b6099d470f31e5bbacd34153596eb3ea07ccbc6a993851ea5d2c697a4f76df4b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x698F1	29056 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_09_off00070c9b.bin` `d811826ae164f66970b0449fb69868cf142a4496dbafb092e1ed6e68b20f21dc`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x70C9B	8144 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_10_off00072e97.bin` `367ca52b27ba91064db1d4e4ab01a64f11af69dc7dd9a0bca857b427e9905b31`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x72E97	25680 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_11_off00079513.bin` `bde867faf7a5a90f57c266244640798d0783f1e796e59127d26b82d1e2191e6b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x79513	28528 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_12_off000806af.bin` `5e145fc9188d9baac8c36a553ae0bcec1ce7f5f23f131253a6582b1bedad4a4e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x806AF	24688 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_13_off0008694b.bin` `180f58ccf20b2c6e8ca71313c77d2420225f86bdff6d88a75bd735a04a91e222`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x8694B	26320 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_14_off0008d247.bin` `4e1bc8d95144521940b30dad4e985226f4d7c227c6e0e9a0ded6bd08cebb20a1`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x8D247	24464 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_15_off000933bf.bin` `beecbd17e0d5b97591a18bfd40f0219b3091f39a499b9e6b6459b3c32961a3c9`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x933BF	28784 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_16_off0009a65b.bin` `b7b024e3fbc628bf65f7b2af96f305c95159da58f5b2dcc57d0245690f8d671a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x9A65B	25984 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_17_off000a0e07.bin` `6200c65553eb887c7b8ebec47f48cad7b0b10f61f9a5ff0b8ad477e7da6e05ea`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xA0E07	25776 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_18_off000a74e3.bin` `99f3f42d40587afb84af05d729de39d1a2dd38ac459488fd453c33612dc677ce`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xA74E3	27504 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_19_off000ae27f.bin` `a38346f3c8b5d6dc3a29062aefb46762db9608f9a53404c96e33ca4e884db09e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xAE27F	23952 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_20_off000b423b.bin` `513bcb7074d8e2c1944c7e29cc24f915ca819dc71203f609c329147ba1356047`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xB423B	28272 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_21_off000bb2d7.bin` `9e55ab2f378d7b19320bb0be913808597f1f8d831130c53ad861d1824e79926a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xBB2D7	27984 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_22_off000c2253.bin` `bb5a23507074b5ac99a55190cbad2f4067ff378ba8d7922e8a6e93741e973f46`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xC2253	24144 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_23_off000c82cf.bin` `54c9c6999ae3dd8d2ea5f98f8aa0a2ce0c536c89331e93da011ea49024de0bc6`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xC82CF	27232 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_24_off000cef5b.bin` `618bcf05f638ed6ea5439a2228f6fecf75d2b490bc2b434028f6fc044486e109`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xCEF5B	24944 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_25_off000d52f7.bin` `662895f793df7c21b82c4eeb6bd9d0ac08a0b0290c9f79830659a243d5ba3840`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xD52F7	24944 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_26_off000db692.bin` `6108189b6543720a6f97d33d59ef438d4194770c18b33a2b48e12c87c06b3dcd`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xDB692	7920 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_27_off000dd7ae.bin` `b15a719de9ce8eafb8af3d57294512c6aed781bb4dc11d1c636a79afff8b1233`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xDD7AE	27008 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_28_off000e435a.bin` `7e122585b77cb4039a34deb1bc90cb20807f8df78b5096cf2a06807ec240f0f4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xE435A	24160 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_29_off000ea3e6.bin` `eb1a11c06a79e60e4ff49a03308326ac3aff68ec09aeb8080fc2adc3cd74506e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xEA3E6	24064 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_30_off000f0412.bin` `aa3aa319c0f7216cb78707b7c304bb077932d93c28e06e97dca449edfb85fc6c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xF0412	26848 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_31_off000f6f1e.bin` `831e48152ae2b85a9fb12c8b67963d009e340a01447474c50284fa2170c7c609`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xF6F1E	26016 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.