Malicious PDF — malware analysis report

Heuristics 8

• Adobe Reader JBIG2Decode WScript dropper exploit critical CVE likely CVE_2009_0658
  PDF combines JBIG2Decode image streams with OpenAction JavaScript that reconstructs a Windows Script Host dropper stage. This matches the in-the-wild Adobe Reader/Acrobat JBIG2 image-stream exploit cluster associated with CVE-2009-0658.
• JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
  JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
• eval() call high PDF_EVAL
  eval() found — commonly used for obfuscated exploit execution
• JBIG2Decode filter medium PDF_JBIG2
  JBIG2 image decoder present — historically used in zero-click exploits
• Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
  One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
• JavaScript action low PDF_JAVASCRIPT
  PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• Embedded JS stream low PDF_JS
  PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
• PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
  PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Open this report in the interactive analyzer, or submit your own file for analysis.