MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1027 Obfuscated Files or Information
T1059.001 PowerShell
The PDF was flagged as malicious by an ML classifier and exhibits characteristics of obfuscation, including the use of JBIG2 encoding and an encrypted structure with embedded JavaScript. The high stream count and the presence of multiple JBIG2 streams suggest an attempt to hide or complicate the analysis of the malicious content. The ML classifier's high score further supports the malicious nature of the file.
Machine Learning
- Nyx PDF Classifier malicious score 0.9495
Heuristics 4
-
Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off000005bd.bin3b40783fd496d139a1fd55a1752c24932b589353b73cd45aca857b6df3e4ab71 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5BD | 346 bytes |
jbig2_01_off00000801.bin529629b8d06f173eb0d1c402194a047023f4eee7d95281604d64509b3f6035a1 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x801 | 4445 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_02_off00001a4a.bin8cd8fcbd50d57facaef6022213ddb11b44d86d488ac2d70d91198f8e037e8e28 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1A4A | 14503 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_03_off0000799a.bin0c37e2e4aeb069c95a810421f8c518ad2547bd8304c836996b8c9dd0ccf94715 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x799A | 3486 bytes |
jbig2_04_off0001b9f2.bin0efbfb4cf01bf6eab84b3251f4062769814ab8cc89ce7f92f7cef018875802db |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1B9F2 | 7491 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_05_off0001d822.binf70ae28cf0875b9a40612933410d1430bfcdfc9be5a9738fc14b0f127743bd54 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1D822 | 32675 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off000258b0.binef507d01c4b4a6ee1c54c29e8fe3454d76bff71bb5cc43fca91f147ec98b2fe7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x258B0 | 9462 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_07_off00049eaf.bin9464a31a04a3e3a7e513a86764b1993abf0c7e57cc94d2fbc6b14996bad96204 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x49EAF | 34670 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_08_off00052709.bin60859ead646779443acb9379ce5ce8243882423a9b00f091eb98765b112fb537 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x52709 | 19944 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off000575dc.bin7584d9e2ba4de6b051a6c083ad50a1a1f697c2acc759635ce0b63f8965c3a04b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x575DC | 4964 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_10_off0006c6f6.binb90681f1fe315185cf6ecbe82df755499f43b1e91845a77eeb3633c832c5f493 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6C6F6 | 82226 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_11_off00080914.bin5dfd8b41ee6685c9c9d8a4c5a9f4e3b6ee0fac40392fda92675c58080ec93e49 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x80914 | 10102 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_12_off00083175.bin554c6f79db15ffe0a7d3b668ee6e8594884dab835f847be5def64fab51ee087c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x83175 | 9099 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_13_off000a6b08.binfb8ef7ba8db8d23908112f6c842ce6038fb15147f13644ea1213c3244c869eba |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA6B08 | 29587 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off000b08f6.binf40507912d1378cc446bbee4771d20a2c01656e2eebc6d5313f265221333b375 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB08F6 | 99227 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_15_off000c8d7c.bin2e12bd971fcd202b3c7ec85b9978fc8761d248707a60b6b62598efe9d12f32f1 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC8D7C | 4749 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
|
|||
jbig2_16_off000e3c01.bin7e1dc91b52cb25c8735cdbd5c5b64b4f068ab9e1cfcf017e29da956d216ffb88 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE3C01 | 6793 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_17_off000e5777.bindaee83ed3f8ce0b0a66c443527d6167ea4ee06fef777fdc9dfe0241eea764a41 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xE5777 | 60977 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_18_off0011059d.bin3fc4048cb993971d08a57094c86e141c7b14d718fd390d33fe9436ef9f551f4a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x11059D | 33887 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_19_off00118ae9.bin33f52de050709df2f24451ad626f815131e03cd61add833c69472887b7abe90b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x118AE9 | 14600 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_20_off00133e76.bin65ee7c4960db6983f8d19636b2c84eed76820374f3c84488ac0a1964b80797e9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x133E76 | 21410 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_21_off0014b1de.bin3d65760ff8ab506311cf5f904acc2300f8a24ac58bc6fe916036c445df53f5bc |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x14B1DE | 45606 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
|
|||
jbig2_22_off00162212.bin3d26304cd0c1fa38723f1ef452866094d2f154fa131dfbfcae4c26e07cdc60ee |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x162212 | 4070 bytes |
jbig2_23_off001632e6.bin1ba8db5fcbbd657caf9051da3d49a465d19f127c9f35d91d576612870c9f6f4c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1632E6 | 23085 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_24_off00168dff.bin052b48cfa839f41dc3c8f09317e245d0ea2fcf8bbb29272bb3b66e3b11711f61 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x168DFF | 9152 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_25_off0016bb4a.binf302c50bf6a173442f52867df51e4fe79c3f4cb4b80fb0fe417da7538655db4c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x16BB4A | 22802 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_26_off0018c7d8.bin9607de6862a2f00af11b51262de97fdf3197742a58fd98648c8e82d25219890a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x18C7D8 | 37109 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_27_off001aacd0.bin6adf3711c867f91d5679ddf39efd0eaa26df87a66eac67eb5e93b387e83eafa8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1AACD0 | 2443 bytes |
jbig2_28_off001ab749.bin201038ca1776a96f7f8bb9ad21020a3b799e956e600358e35587b8e1a016f4f0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1AB749 | 23875 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_29_off001b157a.bin3fc43c306eb2b5a4287ac10e8eae1d6d21c533380f7a308ee8a03a67cabb1b74 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1B157A | 35340 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_30_off001dc663.bin12923ddec31a39b829ee1329619a04a386303a04b78d836df01db66c1582b02f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1DC663 | 25888 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off001f5bb2.bin6a2faa2453c0af2e597dc74e691b494e1499688384c9d37cc36bbc13c238228c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1F5BB2 | 2331 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.