Malicious PDF — malware analysis report

Static analysis result for SHA-256 d61db9c6bf954c54…

MALICIOUS

PDF

642.2 KB Created: 2021-06-11 10:04:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-05
MD5: bf5df19d59e1ca135979e30172167c0c SHA-1: 49686fac81932d44a6248eedc72fb6ab66598aa8 SHA-256: d61db9c6bf954c547a5af32886b799a122d775c1e10dbb92dd109ec7a9753213
84 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a lure related to 'armed heist apk mod' and embeds a URL pointing to a suspicious domain. ClamAV detection confirms the malicious nature of the file, identifying it as a phishing trojan. The embedded URL is likely used to download a secondary payload or redirect the user to a phishing site.

Machine Learning

  • Nyx PDF Classifier clean score 0.0058

Heuristics 4

  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://crysiq.ru/uplcv?utm_term=armed+heist+apk+mod PDF link annotation