Malicious PDF — malware analysis report

Static analysis result for SHA-256 f34e5eae34da148a…

MALICIOUS

PDF

14.89 MB
MD5: 548c1186fb00bd60f71cc2fc86dc203c SHA-1: cec16a296bef0eff703fa3b179456811bcc19e5c SHA-256: f34e5eae34da148a5e5426b13d9cef5a69dd8a3b6aa78c080ddf8be74c0bdef1
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file is heavily obfuscated and encrypted, containing embedded JavaScript and JBIG2 streams, which are often used to hide malicious content. The heuristic 'SE_INVOICE_LURE' indicates the document's content is designed as a fake invoice or payment request. The presence of multiple JBIG2 streams and the overall obfuscation suggest an attempt to evade static analysis and deliver a malicious payload, likely through the embedded JavaScript.

Heuristics 9

  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • Encrypted PDF carries /jS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/jS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators

Extracted artifacts 32

Files carved from inside the sample during analysis.

FilenameKindSourceSize
jbig2_00_off000437a1.bin
b5cb2892f10c575fa47df67c4c0f06733adb15b5fce97ccd0a121796ce1a6915		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x437A1 279 bytes
jbig2_01_off0004d787.bin
14d0f2f39c9f501f342ea4b95529d63330744bc645e36b4d1590d958ce8c9307		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4D787 4049 bytes
jbig2_02_off0007ce9b.bin
0e293d26e5cdefabc721a44fcd94d55651ef52d0e9678fca74751858a7673f0b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x7CE9B 14521 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_03_off000a2b31.bin
117f1a07de167a0b7dd45b27a1ae0dd60259cbe165e68217cc0d31fec2af32a1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xA2B31 14825 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_04_off000ce5f0.bin
2cbf90290729b96caa851a7dee0d64b30c08325c8ed50f404034ae36c00b87c5		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xCE5F0 22024 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_05_off000f2cc1.bin
6da2ecc8897d2c6a4a7ae8354e20797b27a5f994658c4cb48aff2e644294573f		 pdf-jbig2-stream PDF JBIG2 stream at offset 0xF2CC1 22724 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_06_off00115993.bin
3b346b25b934de702ec778289c8a8b566580e5cb91ed341c2128160ce8ef1dd8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x115993 9909 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_07_off0013da9f.bin
981a54f0c8318e974315845d9cae0fef47b182aeb02aa7a106b1b9f480fce761		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x13DA9F 15510 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_08_off0016c300.bin
f52eaefbe840ef0b7462dddbeda62823d297a86a157370e9735a049023f55175		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x16C300 18676 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_09_off0018b654.bin
4ee7009732e9aa93fc574f855607b383e6d21a0c35aefda8adb4b71a279cc5b8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x18B654 15359 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_10_off001b1aee.bin
77a6cbee645e7e98257897a75091cac2b4f05657776d7bd000e20a2831cc57a7		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1B1AEE 15399 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_11_off001d55e0.bin
b8115b551c69cba7fbe11f3dec24ecf6ac20d702c54eb1de401ddfbcb46f5675		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1D55E0 9795 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_12_off001f0001.bin
0ea5e6e0ba423fee79210eaa347d800c77eaf95b7cd6f4a6eb4ebd789c187145		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x1F0001 12430 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_13_off0020e6a8.bin
8a182393160350ff88f7fa93bfbd86f8d6b5ba4638fc35ae330f24a01fdb588c		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x20E6A8 18660 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_14_off00230ee6.bin
b5aa3add3afb41ec7494cf2dce43b075b85386b2fbbc93a0b9500c24db992f14		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x230EE6 17091 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_15_off00259643.bin
1f7ea19179384793fa822d2fb54263ed6980c862548ec2e2c50ed5b45cf668b8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x259643 12876 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_16_off0027c292.bin
3028ac14d39da5062f052b37e5d23d6294edf485296c23d3f731cfa52bf9c121		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x27C292 7486 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_17_off00294f0b.bin
d14d1b99d68508fa9a0e1d7ea3a1f1a44c011d05b9a3616fbea7908b05792ab0		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x294F0B 10622 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_18_off002b6264.bin
fd039cdf09653525bca726a415fbaf52a5a5c8d5f9b12800b6d28c4cddd6166b		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2B6264 13236 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_19_off002d2aed.bin
a96221ce17237d2142e425208719cba7cf59fcdf81b92fc470158a875efe88a1		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2D2AED 14003 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_20_off002f40a4.bin
9316f936e6b6384b663cf922e6eaa38a2ab51a1e59c85d7d29f0ab6b277b44e4		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x2F40A4 17753 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_21_off00311a9e.bin
c271df399f8251f2a22031d0be266ababbc0e8ce93d61c69b75f371b6025e820		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x311A9E 12869 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_22_off0032bf96.bin
cdd8d203fc79a7537d41a3f8482fcc37c6e7913a15ac6fba91b15ebaf28c8fd8		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x32BF96 12721 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_23_off0034ebe0.bin
0a951e20709f83f502f90ed3cb3c1d44c631720b509285463cd4ab44da682355		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x34EBE0 17062 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_24_off00376e79.bin
db694e43ddde09fc0f757cce5540bf9a1e959634e7777fa7cd4e8d16eaf524e2		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x376E79 19844 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_25_off00397aa6.bin
a19a73d80a97df7946c737fb8c12c808c38c5658045792fd7a586cdfbf1f9071		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x397AA6 8004 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_26_off003c3738.bin
500db1f931006570c3b6282dccd740a27de740a9462a32c917121c9aa1847e6e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3C3738 29612 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_27_off003e5e10.bin
c6ad586cb5605ce77b5ad8f2b5b7d96c82844797c9abdf18b4937fe44d25beb2		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x3E5E10 12329 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
jbig2_28_off004066df.bin
3215981cfc8a1fc0e1e6b3f4794a2c1ccc0e9aad3d2fa54ba557e0406d1c7f84		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x4066DF 16513 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_29_off00423c71.bin
875e2b9666824295a9ed715d5c021687d3c507f79747b0b9705853b7624ec160		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x423C71 17397 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_30_off00445daa.bin
afb9a35e18b518a13dcbc973d8961c30a0f849e37b1178094c103fbec25c1813		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x445DAA 18310 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
jbig2_31_off00470135.bin
316e4fe1ab092f7508860a051811728cd4ae100bf9185ee49a1fe9d9b217b5c9		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x470135 8012 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.