MALICIOUS
170
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1190 Exploit Public-Facing Application
The sample is a PDF file exhibiting multiple high-severity heuristic firings related to JavaScript, encryption, and known exploit vectors (CVE-2018-4990, CVE-2010-0188). The presence of embedded JavaScript and the use of various decoding filters suggest an attempt to obfuscate and deliver a malicious payload. The document body is heavily corrupted, preventing analysis of its content, but the technical indicators point towards an exploit-based attack. No specific malware family could be identified.
Heuristics 7
-
JPXDecode + active content — JPEG2000 CVE-family indicator high PDF_JPX_CVE_2018_4990_RELATEDPDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
-
CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high PDF_CCITT_CVE_2010_0188_RELATEDPDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
-
Encrypted PDF carries /Js — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/Js). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JBIG2Decode filter medium PDF_JBIG2JBIG2 image decoder present — historically used in zero-click exploits
-
Unusually high stream count medium PDF_MANY_STREAMSPDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
jbig2_00_off0004611e.binf5afb83ca3bef668a4430ae9239be5dfed17b90e5b921f5794cd43cff4ccafee |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4611E | 144 bytes |
jbig2_01_off0004625c.bin45e762b37a4b253792759daa8be3e8719dfc721c40ee7b678bd8bc6003e05a76 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4625C | 144 bytes |
jbig2_02_off0004639c.binf54231a69bd6b37b9dcb78d4ff450b96678bd163fa1c0a92b3199774afb0c43b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4639C | 1008 bytes |
jbig2_03_off0004683b.bin679b52813d16d7a2cdc068c1dd4c57a8cedf2bda3ea71f0e6755664d4a399b07 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4683B | 224 bytes |
jbig2_04_off000469ca.bin7973dadc418f3a89a8c163a885438cc3e22951817afaf38a65f1f0f40bbcd68a |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x469CA | 224 bytes |
jbig2_05_off00046b58.bin60f47af282b15bb899cca801a26b504dbbeb5b17071e3986ae5d22441bf1b26e |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x46B58 | 144 bytes |
jbig2_06_off00046c96.bin4675aa6ba7a338decbb672d90e0fd451ef9e164b129d3fccb00f7576b4d88b35 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x46C96 | 144 bytes |
jbig2_07_off00046dd4.bin1e42eb5695b6b49aee12c99caf212a34cff045d6a9e1027f0430de366b7c37af |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x46DD4 | 144 bytes |
jbig2_08_off00046f12.bincf227f10544dab8e50d57f70fa2a16dad7f4948b55b246d820728400179e7b00 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x46F12 | 144 bytes |
jbig2_09_off00047050.bin6fe71566c1a95aa7857f0ec487c50c5e986c5f2ffe1712be1aae6885509a4d23 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x47050 | 144 bytes |
jbig2_10_off0004718f.bin76b3fbf11d0e1f29558512ebfd71c84096a15c0a4eaac8fa48fd54a629d8855c |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4718F | 240 bytes |
jbig2_11_off0004732e.binaf9ee2c4e95464335e8d0d3271785e43af8fafc0efb50deb7493cecd633bdee2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x4732E | 224 bytes |
jbig2_12_off000474bd.bin74534ad5b130a8019e407a8fbb4c7fd4ffea6f3aeadbd7cf74d25a04447f66e7 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x474BD | 432 bytes |
jbig2_13_off001108a6.binbcc159cc51aa3a7ae26adcd698f6e98b5f0a4642d5448d9f99e543fd5aa5fbdf |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1108A6 | 192 bytes |
jbig2_14_off00110a15.bin40c63b52981bee10b3d2fd102eed8f777cbeb9c86d4504a34bf489d76c6d44b4 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x110A15 | 192 bytes |
jbig2_15_off00110b83.bin761d24eda2edda853092099c35a655113ff1d8c8b46a66fab6f3dd60da5d5cd9 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x110B83 | 144 bytes |
jbig2_16_off00110cc1.bineb82c0eb6f6e34b4969600aa7859952775293f8223cd4d5450f3b5aaad926ddb |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x110CC1 | 144 bytes |
jbig2_17_off00110dff.bin6591bff5ee1e5a4aa7732bf2bf1319dd19def2a7a693feb530595861b1564c74 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x110DFF | 176 bytes |
jbig2_18_off00110f5d.bin89edca1c0e54d86b25f1b6c7a50e3245e73fe19786c59f3c2b503da3d970c2c2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x110F5D | 176 bytes |
jbig2_19_off001110bb.bina929b49c08456a70bcf7a09c20158ec4c6d03c9b27ebde1843c2b4d06c97036b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1110BB | 176 bytes |
jbig2_20_off00111219.binbde54eef9dfd372fa5b173fe46b095e4cf98b96fe4da611323b7c0aced200f77 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111219 | 176 bytes |
jbig2_21_off00111377.bin3dbeeee4a01d19b987167998863dfb949f2a6bba392ed7a786e9d134922ffb6d |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111377 | 176 bytes |
jbig2_22_off001114d5.bin7b2f11ff9f6fea65939275bef71fe2ba3fe0eb5a641e44797e3f8ad4a1d63da0 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1114D5 | 176 bytes |
jbig2_23_off00111633.bine10e29af55b9342ddb24f6cb91a4d3ca0d1c709d4288e2633a9587b76d5d63c8 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111633 | 176 bytes |
jbig2_24_off00111791.bin4cb4bd609973658755a7bd0842b43e5bf61e243b6367e8cc3353d0e9bb4b17cf |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111791 | 176 bytes |
jbig2_25_off001118f0.bin25a32d203e0db6021c934a368efec8bdc8234fd3a5425d3cac3ecb9d0eb2c681 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1118F0 | 192 bytes |
jbig2_26_off00111a5e.bin46cab5da4b80c693c2d383a97315482981290215c9405e5e54ce1bba34134c7b |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x111A5E | 160 bytes |
jbig2_27_off001134ce.binef1bbc1e045bdc078861889a1d06944627113bad66d9c73cad0994044bf76e62 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1134CE | 176 bytes |
jbig2_28_off001143c9.bin4020f5dca0116e105b541b657a4a6047361780b0ac368e07acf8b64ba8943663 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x1143C9 | 160 bytes |
jbig2_29_off00114a07.binf1407d47e906979b32b14b5aef875bd5b603fecde099aae3c54111f2dcb00ef6 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x114A07 | 144 bytes |
jbig2_30_off00221c76.bine68eabbddadee2aaf37fb1c71b66ea77df77d43c2f54ad2b3af9f9768b9c7ec2 |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x221C76 | 144 bytes |
jbig2_31_off002226e6.binba6d9e6eb55595b15d880a675755a59781fa1a91dea4a6b1e10c1a716875621f |
pdf-jbig2-stream | PDF JBIG2 stream at offset 0x2226E6 | 176 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.