PDF malware analysis — malicious · ad539d6770e69cc5

MALICIOUS

PDF

292.0 KB Created: ÕZ_×Kå£©UæÞ©4³µY»Òxp Authoring application: o¬?æ?Õ×ò$Òañhóâ:W-s²¢ç²~£×=æwëWhUÇézM (via æÛA¹øúÂK ¦ùrý«órâ~ÿ¤¸åÌÏN\¾Ñ3&b)

MD5: 717e1b8c3aeb6de6ff03af4146a57248 SHA-1: d4bb1604982592e5c56ea3dbe1cc07ad5144e38b SHA-256: ad539d6770e69cc575dbf7434863c126213bb1d695c2ce390c16d88fda315fbf

82 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment

The PDF is encrypted and contains an /OpenAction, indicating that malicious content is hidden from static analysis and likely executed upon opening. The 'PDF_IMAGE_LURE' heuristic confirms it's an image-only document designed to trick users into clicking, and the presence of JBIG2 streams suggests complex image encoding often used to obscure malicious payloads. The document body is heavily obfuscated, preventing a more detailed analysis of its specific intent.

Heuristics 4

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE

PDF has 2 image(s), only 0 text block(s), carries a click-outward action, and is only 291 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`jbig2_00_off00011f53.bin` `3128e13ac379a351b56ea0c8aad6223a093e81e5328361e53ebd3f9dbfe44fce`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x11F53	16389 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_01_off0001609a.bin` `3bdbe18fc2916a07fd141a5fb1cc3d2fbaf4726b33389caad1037d938a3b7074`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1609A	13829 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_02_off000197e1.bin` `e9e1dc3588f024cf602d293d030a13f358058d53bc8b267a6cfd2d32d009c241`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x197E1	13700 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_03_off0001cea9.bin` `6d8021413c50a90b8482d99a20eeb5474d1d5d67f6bd9cf8068cbc5180f937ec`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1CEA9	12889 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_04_off00020246.bin` `d427be4ec904d786a3c584a261bc3918b4265c25ae39c20e4eb1d7f7b9220ebe`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x20246	20252 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_05_off000252a6.bin` `041292f9fe27654d4edf058e4ff77288cc7a8f7e67cf0f0d1fc644c104edb19f`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x252A6	22326 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_06_off0002ab20.bin` `7a52674de08c493251e35dcca253bfa593ded7d32e6ab7a53f864877d9cc156a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2AB20	30708 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_07_off00032458.bin` `6c1a55e9c2ed5e24e7ef60c6c1963f55b8c9b9c70eab75be293c8cc40680ee1c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x32458	14724 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_08_off00035f20.bin` `da43e6b998e70b7d66ab7b2dda43e09ac0ee66655f1b94f53da2ae9d58a77990`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x35F20	15519 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_09_off00039cfa.bin` `be396aa4a9caab4ba94339ae88f60ce4a01cb4c900acb820ef7dda877c76d370`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x39CFA	17469 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_10_off0003e273.bin` `15e7293f23906b025746a7b79a12667170ad0698b8d83fb1977820f2294dccca`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x3E273	20671 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_11_off0004346e.bin` `6080642325cddb158fdec0756e0b534877f71957faeeda9b5388c250bf3b6fa3`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x4346E	17511 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.