MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1566.001 Spearphishing Attachment
T1059.001 PowerShell
This PDF is heavily obfuscated, indicated by the high stream count and the use of JBIG2 encoding, which hides its content. The ML classifier strongly suggests maliciousness. The heuristics point to a lure document, specifically an advance-fee scam involving parcel delivery, and a technique that instructs the user to interact with the clipboard for command execution. No scripts were extracted, but the PDF structure and heuristics suggest it's designed to trick the user into performing an action that could lead to further compromise.
Machine Learning
- Nyx PDF Classifier malicious score 0.9364
Heuristics 8
-
Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LUREDocument tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
-
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LUREDocument contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Fake invoice / payment lure low SE_INVOICE_LUREDocument contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off00000c61.bine69d246f2df5ab1c99d6f19a59f253b2ab99283fbb26c5c612d701f291c05eec |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC61 | 18684 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_01_off00005647.bin69aa1499ac7a6ee461da74dc9c5d6515da530b22a87e372271c8981c9d7bd847 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5647 | 5758 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_02_off00006daf.binf19f2eac22c8f8094bc8e2489bd9fd0e317908268c075e89bc7b789c044060d1 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x6DAF | 6534 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_03_off00009183.bina3c7d578567da92fbe73c2063681d3cd4f6dca3dee0212bf43d01bd966776e88 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x9183 | 8264 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_04_off00020174.bin1033da6dc267ebb17ab8cd8a3f15db7365f60bcd45c0a5012b2fc244ee836c7c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x20174 | 13136 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_05_off00026a59.bin9f2f32fab9b4bc688bb62f700dc848aae7393f4d327623398e95ae93539f0747 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x26A59 | 11349 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_06_off00035b8c.bin19fe1c297aaefafcbd81cb310e316d612ccd78b11b78e9483839b29584049b7f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x35B8C | 235 bytes |
jbig2_07_off00035d62.bin40317b36c1877d75bb211fa69693a1ae3da3a0cb3b0f8afe4206f543427b88c7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x35D62 | 2655 bytes |
jbig2_08_off0003a51f.bin00a7979c024e9be6836c51b38a778b9ac4492d38f0829219709ed3c5a5a9e86b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3A51F | 1928 bytes |
jbig2_09_off0003b6f6.bin7302f09a60fbcb01dc0f419b89633fd51953b138592b75be710b55b5e80518ae |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3B6F6 | 2870 bytes |
jbig2_10_off0003ca30.bin7eb8babe0a089de33a14263ddd37556c8fee7d1567f09d41ac50df24232240dd |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3CA30 | 2230 bytes |
jbig2_11_off0003dac0.bin25747cd64d2ff18628e84ad33697117bbd4054e22f16dbb8a91247cf18f41289 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x3DAC0 | 3177 bytes |
jbig2_12_off0004790b.bin052786b001a7ad9d4271617c210fcf3f4155d8aa7aefa5156d1e959b66b362e3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4790B | 15412 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_13_off00058303.bin0a0e3d5e058a2ffd338f0d017885110afe66d5304a8e6fe38b906234eab1c181 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x58303 | 21435 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_14_off0005d7a9.bin8eaa17cb61aa677dd8d2aa88178d8dc3a552159f0941f0063d6989c8b15120e3 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5D7A9 | 2705 bytes |
jbig2_15_off0005e326.bin4105190aaaa545847dd91262e21149b708a7bb2254a224491662c9a69e5def81 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x5E326 | 10213 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_16_off000770a3.bin1c4c30c589c254eef76739e63ea991db641f37041b0b6064c9a4f045e45fce0e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x770A3 | 13514 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_17_off00087f25.bin8bcd479b97358a0a44265027d79dfe258f28c34e15bc34bb101458ffb9a779c2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x87F25 | 3093 bytes |
jbig2_18_off00088c26.bin40aad667711b7a8bc34b1fdc3161faec850c74c14e5e143095a92982097469e5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x88C26 | 5904 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_19_off0008b964.binb1d55cce214f6226daae12bee0e6c540b71a99351c44a6d0ce975f270d911d6a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8B964 | 5083 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.
|
|||
jbig2_20_off0008d9ff.bin86e818f66b72c1ead1792877327285fa613a847061ea812d45ce91a70a03d7df |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x8D9FF | 12499 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_21_off00092478.bin0f25594a5374fd47e287bc7dbdec3b6cb32cc5d8bb12cdfa98f74e3b4ac11b2c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x92478 | 2943 bytes |
jbig2_22_off000a4e9f.bin86a50bbec638cba7838dda778e5afe39ac47a156e0b41ba96a0c4adca6e0f171 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xA4E9F | 20275 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_23_off000ac25e.bin176b1e998eef3ed1f59220aa0ea2a3de1e37a38ed9db098c0a21919d45d1540a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAC25E | 967 bytes |
jbig2_24_off000ac710.bin9d3aacbd229dda9a03aab43a013076554e39355b89959e6469772962ffb3cb2d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xAC710 | 980 bytes |
jbig2_25_off000b2c82.bin548c2a529b5552920030f18ba2e8de08a5c3d6631544008c1df70b95dfc13ae2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB2C82 | 3087 bytes |
jbig2_26_off000b451b.binc39a32cd66c9a39d6ed8827f41d78c6355e244ab92bb32e72340da2baa079aa4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB451B | 3943 bytes |
jbig2_27_off000b64ec.bin7d85858c6973a38746e3501ff18cf046a8e91a2d9f9da691327eb16cc63a5e8c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB64EC | 2132 bytes |
jbig2_28_off000b7acd.bince732e5a233bf46a4c5bb145b158f7031f75d4c6ec567260ca69f9f23da36615 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xB7ACD | 1461 bytes |
jbig2_29_off000c13e0.bin5c0112457533d0fcd82278566b2899b97846fcd71ad2e200551bec6dabd2a2fa |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC13E0 | 10419 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_30_off000ca33f.bin03f55af21898c0d9b11534521c18bdcb06356cba1268d1a007119a893b5f85c8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xCA33F | 14666 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_31_off000d1677.bin4f2b8a60df4e35582eb7144a0fe203e4aa4b834cdf6bce2372eed6bf5924d16f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xD1677 | 14532 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.