PDF malware analysis — malicious · e2f6a01c00c5e0ad

MALICIOUS

PDF

1.63 MB Created: OÆ%´¾y¦èë å±}'ig Ê Authoring application: [ÞVêã9Tó£B±M÷°e;w (via HªñFÌÁÂµR¶Q¸ï$m0^[)

MD5: 8b03fcdf71871607192cacf75229b174 SHA-1: 92343230482c3435eaf8a83b428ea1d786a3e12e SHA-256: e2f6a01c00c5e0add16bfe2bbb66135b44ad54741a63109675f45366b9d3c18b

64 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file is identified as malicious due to the presence of encrypted content and an /OpenAction, which are common techniques to hide malicious payloads from static analysis. The file also contains JBIG2 encoded streams and is image-only, suggesting it's designed as a lure. The obfuscation and lack of readable document body text point towards an attempt to conceal malicious activity, likely for delivering a secondary payload.

Heuristics 4

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 32

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`jbig2_00_off0000a51a.bin` `a760bf1b85e611d3038856bedb7ca2bc68460dd3b6af2deaad7dc5c1f841e39a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xA51A	4991 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_01_off0000bad0.bin` `f8dca0f1aa1dfb1cf84d1e3047b3da241152b68f88fced31cd8e89d8c557e22a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xBAD0	7440 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_02_off0000da15.bin` `d37de506d25029d70e8a11ca8faab87ef74098e3b979bc928bebe2aeceed2855`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0xDA15	9181 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_03_off0001002e.bin` `7125a0c208e3f8cf5f837e3b04ca7af536013e98114df78e90e510e8b0f3942d`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1002E	2199 bytes
`jbig2_04_off00010b01.bin` `5115d06e25ff5407eaca938917ab567a0b3475db02299f566ff32b9f2b3290b4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x10B01	7445 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_05_off00012a53.bin` `e0fb95fe1c7eaada3f204c52aa88d6c6f5b83c8c59477520c06bc6da0b94ac14`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x12A53	6142 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_06_off0001448d.bin` `dea8698bf84835e97887ca8bbfa9cfe533c7586ff1c16a549c00ade23a0d6de5`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1448D	2856 bytes
`jbig2_07_off000151f1.bin` `090f348d5ab7cb898c8069b84717b51e80747c79d2814cb218e70a6bebb727d4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x151F1	5813 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_08_off00016ae1.bin` `91e0e038c3fbea07e007a8ad34071cfaccb03801ee1da80e9a648091590e67c8`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x16AE1	4899 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_09_off0001803f.bin` `d5363afd8539078523711ed06fd5e4d804dfece9ee1431d0a27f27f686e61cb9`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1803F	6040 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_10_off00019a16.bin` `134df9b7924b4742fc7097c4e247c7f031e65643f1235e87855cfdc0e711901c`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x19A16	4800 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_11_off0001af14.bin` `3dfb51e918dc8b4f27fdf8ad93e0b094b30d13b63b429cc96416b92967f36a4a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1AF14	6163 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_12_off0001c964.bin` `731b4c87dd075f930661be2e7c08aec18ef8ab54c800d48cc2edc42223507332`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1C964	5563 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_13_off0001e15d.bin` `1111b6119375f7c01273dac5b3cfb34a546d18cb377d0641dac3bab989435a6f`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1E15D	2462 bytes
`jbig2_14_off0001ed39.bin` `f5adcf1802999b1f5d9597a51bad7f29230266560a9c0a53768ed3d91f97c7bd`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x1ED39	8846 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_15_off00021205.bin` `0bd0d96795e38b9a4cc4afeda46c0897ac150495d95d3359adc00cfa089fc0fd`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x21205	5270 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_16_off000228da.bin` `e4d545354dff8cc72e820a22cd3bf54d8d2a590995899096c4792433a806a47e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x228DA	2590 bytes
`jbig2_17_off00023536.bin` `f2391a176123ff6e7d2ae9c1c648c5ce9922b43b8a4d4ed52d81edd5cf633ffc`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x23536	7620 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_18_off00025539.bin` `b9bc3332d9d4f80b73f9d4bc9abbf0caa3de9f88fac5c3fdf9e5d7bc6837aa15`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x25539	6379 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_19_off00027062.bin` `e8fc60951b13e4b0246a22dbd255cd73918f748343ecefb9f91b9645f3a3d66e`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x27062	5869 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_20_off0002898e.bin` `51f4055838af0936ed7d3ea78524346ab2b6b39e3ef6d4f0280c74165ffd751f`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2898E	6120 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_21_off0002a3bd.bin` `d7c895bb5acd14532f938f49c6849fac71c951ff4a43add48b5df7b68352b8be`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2A3BD	7281 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_22_off0002c275.bin` `cbb45699c4430fe6b69fcf544751ec2866ddd4bd55d797a0ad657d462abb47b1`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2C275	6729 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_23_off0002df06.bin` `7803eed12537d872e3ee5871ad0109fbbb13bfa9e39cffaf19c788c8169b71a7`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2DF06	5592 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_24_off0002f725.bin` `ace43d8eb82b404605a0b606111674a1606f227df1bf676f99b2b20ca76be4c4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x2F725	5935 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_25_off0003109b.bin` `8a14c2417952da148d868723c26f456d652e916dacc2497f461bbb2c4c87be9b`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x3109B	5850 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_26_off000329bc.bin` `71453ddc6b167c6c5ec99b91ae18b0acc507e5a5bf5d9b9fc5c593918f139357`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x329BC	5779 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_27_off00034295.bin` `827e415cc6249bd355b1e5a0481b1c0215b39a1fb3728e39141bbc4b0820bb5a`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x34295	10791 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`jbig2_28_off00036f05.bin` `b4ce43b0aa87c1140b866f4b17d09e02763a390abec7a7976d74c6c11b1ed5ef`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x36F05	5333 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`jbig2_29_off00038622.bin` `5a75cebcb94eae0f4f32c3d0d08677b741facce619e99937bc487285259a74f0`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x38622	7075 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.97, consistent with packed or encrypted content.
`jbig2_30_off0003a40d.bin` `0c8d27d5d6cdf7c916f06f1425ab9e4753d5c09ef35a3ef4d6b2b60bf948b5c4`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x3A40D	8082 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`jbig2_31_off0003c5e7.bin` `4e6858720b1e961e894e5012b3b13d7887525119afb44e81836d8a31d9546567`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x3C5E7	4148 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.95, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.