PDF malware analysis — malicious · f8f62c87562e768d

MALICIOUS

PDF

322.3 KB Created: 2021-06-11 10:04:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-10-07

MD5: 03d339495c9d2042522c29dc5dcf1027 SHA-1: 6dbbe5e79bd1e2ce15047ab764ade4258ec13a15 SHA-256: f8f62c87562e768de550d23071b62cc5662e78a4cbcdf3323b8aea149b583f4b

84 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF file contains a lure related to 'armed heist apk mod' and embeds a URL pointing to a suspicious domain. ClamAV detection confirms the malicious nature of the file, identifying it as a phishing trojan. The embedded URL is likely used to download a secondary payload or redirect the user to a phishing site.

Machine Learning

Nyx PDF Classifier clean score 0.1533

Heuristics 4

ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL https://crysiq.ru/uplcv?utm_term=armed+heist+apk+mod PDF link annotation

Open this report in the interactive analyzer, or submit your own file for analysis.