MALICIOUS
72
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1027 Obfuscated Files or Information
The PDF file is encrypted and contains embedded JavaScript, which is a common technique to obscure malicious payloads from static analysis. The presence of JBIG2 streams and the 'PDF_ENCRYPTED_WITH_JS' heuristic strongly suggest an attempt to hide an exploit or downloader. The 'PDF_IMAGE_ONLY_LURE' heuristic indicates the document may be visually deceptive, presenting images to trick the user into interacting with the malicious content.
Heuristics 5
-
Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off000095ba.bine642bdc6edaedae2fc3a2501d2a536a02262b605fb2b65ce29a8184bd615dad4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x95BA | 9744 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_01_off0000c016.binccfc4b286b2871fe1e4778abe0f82a2502878f42bcdf2980a139d5e5f0870e64 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xC016 | 12160 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_02_off0000f3e1.bin40b3f44c89f1288849e815386b0582ced16d973bb9c42c93e7de4470001dc53f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0xF3E1 | 9744 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_03_off00011e43.bin3ea3b635abcbd521361c3f5a0544f8845392566fb62e9541f8e182611b8897b2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x11E43 | 14208 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_04_off00015a16.bin5de216517ab33c81051211614f4baa599684aba342d30e52ea9ec1c3bc4f3fc9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x15A16 | 11984 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_05_off00018d39.bin2df416fe027de358b183a990e19a17677457c0d21d62ba5aeb31fcfa73e319ff |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x18D39 | 12560 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_06_off0001c29b.bin3ed7781cc8ab55f7ff4635f838f459d6baab37a694f86b6061268e3848c2b5b8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1C29B | 4304 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
|
|||
jbig2_07_off0001d7be.bin94cec2a42b09e01871aaa8a23b251fbc5b5587df9bbd940d6214bdf298f408b0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1D7BE | 11056 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_08_off00020741.bin29804430a9fc0de28aae32548709422922bbc281380a6728dfd68da92a57ba5a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x20741 | 11200 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_09_off00023754.binb17b5f49fe413926ef4ad350aee5a64d83ad0f5c05f83cc058335f24f9e9f3dc |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x23754 | 14272 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
jbig2_10_off00027368.bin251ffa2323ba8196726d8701fb3c59d9eb41067cbd7b4778382f684174def3c5 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x27368 | 12848 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
|
|||
jbig2_11_off0002a9ec.binf6c37135afe191f31ef1aedf65549776ad9b22cbd0992cbd25221f0e8152d45a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2A9EC | 11040 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.