Malware Analysis Suspicious Malware under PDF

[Chipicao]

Hello,

I received a email from @gmail.com, I noticed that is a Malware or Spoofed .pdf file extension or anything like that.

The most crazy thing, is in that email doesn't have any link or website to click just the file.
What I did? Well, I downloaded but I didn't open it. Firefox opened .pdf (that is my fault, but by default firefox should ask before opening).

My intention was to check for malware and verify. Since there is not message or link in email.

What happened? Firefox open .PDF alone without asking permission and it infected by computer I suppose.
Why I tell that? My Windows Firewall by Binisoft was creating new connections.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.

Now let's go the craziest thing:
I sent this to ESET, GData, Microsoft Sample Threat, Emsisoft, BitDefender and some more (except sophos I forgot).

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?

VirusTotal

VirusTotal

www.virustotal.com

I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install

 

[harlan4096]

That PDF does not seem to be malware, fraud because the topic text inside? Probably, but I can't find any malicious link inside, I checked with Sumatra.

 

[Chipicao]

That PDF does not seem to be malware, fraud because the topic text inside? Probably, but I can't find any malicious link inside...

Where I can send the email headers safely? Looks like also spoofed email with other gmail address.
But I don't see any link.

I noticed that some images inside the .pdf have "clicks" and files being dropped.. at least from my VM.
What I can do more to help?

 

[harlan4096]

The only clickable link there is a mailto to that email address...

I noticed that some images inside the .pdf have "clicks" and files being dropped.

Not here

 

[Kongo]

Hello,

I received a email from @gmail.com, I noticed that is a Malware or Spoofed .pdf file extension or anything like that.

The most crazy thing, is in that email doesn't have any link or website to click just the file.
What I did? Well, I downloaded but I didn't open it. Firefox opened .pdf (that is my fault, but by default firefox should ask before opening).

My intention was to check for malware and verify. Since there is not message or link in email.

What happened? Firefox open .PDF alone without asking permission and it infected by computer I suppose.
Why I tell that? My Windows Firewall by Binisoft was creating new connections.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.

Now let's go the craziest thing:
I sent this to ESET, GData, Microsoft Sample Threat, Emsisoft, BitDefender and some more (except sophos I forgot).

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?

View attachment 272023

VirusTotal

VirusTotal

www.virustotal.com

I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install

Just in case: Always disable pdfjs.enableScripting in Firefox about:config. So set the value to: pdfjs.enable.Scripting --> false.

How to disable JavaScript in PDF documents in Firefox - gHacks Tech News

Find out how to disable the execution of JavaScript in the Firefox web browser when viewing PDF documents, a feature that Mozilla introduced in Firefox 88.

www.ghacks.net

 

[Chipicao]

The only clickable link there is a mailto to that email address...



Not here

The more strange thing is after firefox opened that I can't ping or traceroute.

Always give this (and yes is a fresh windows install ISO from Microsoft) all disks have been formatted.

Example (no matter which host, ip always appears that)

C:\Users\user>ping google.com

Pinging google.com [142.250.31.113] with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

I follow many guides in internet, specially CMD commands like netsh reset, ipconfig /flushdns and disabling ipv6 over ipv4 didn't work.
Changed DNS didn't work also..

By the way, I tried to check port 80 from my IP in many websites and says port 80 is closed but i can still accessing internet...
Tested in other 2 computers and ping, traceroute are fully working.

Resetting everything and looks like this.. (yes all options have been selected, but the red ones looks like there is a issue in my computer..)

This happened after opening that .pdf file, I didn't touched in any malware or download from unknown source, friend etc!

I do believe probably that malware was spread to my USB lol.

 

[CyberDevil]

Static:
VirScan - 多引擎文件在线检测平台 - clean
PolySwarm - Crowdsourced threat detection - clean
CONVOCAÇÃO1.pdf - Jotti's malware scan - clean
https://metadefender.opswat.com/results/file/bzIzMDExM183TVF6bHVfZHlyUWlEdXJFYUU/regular/overview - clean

Dynamic:
Kaspersky Threat Intelligence Portal - clean
Free Automated Malware Analysis Service - powered by Falcon Sandbox - clean
Национальный Мультисканер - clean (it is clearly visible that nothing works in the system except for running Acrobat Reader)

I do not believe that it is a virus
However, I do not have a virtual machine on my laptop to play with the file myself.

 

[zkSnark]

So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?

@Shadowra

 

[Anthony Qian]

It's a phishing PDF file. Won't do any harm to your system. But if you follow the instructions in it, you could put your money and personal information at risk. Depending on each vendor's policy, some may classify it as malware, while others won't. However, it would be inappropriate to say it is not malicious.

-------

Just received a response from Bitdefender stating the file is malicious and detection will be added. Users of G-Data will also be protected from this threat.

The analysis of the file has been completed:
The file is malicious and detection will be added in the next couple of updates.

 

[harlan4096]

Kaspersky finally also added it, but not because of having malware inside but for being a HOAX:

Hello,
The detection will be included in the next update.
HEUR:Hoax.PDF.Phish.gen
Thank you for your help.

 

[upnorth]

Where I can post the malware to be analyzed

VT link added in OPs first post.

First Submission 2022-10-07

Spoiler

Analysis CONVOCAÇÃO1-infected-malware.zip (MD5: 16F1551D0ABC49030337876C8E298BF9) Suspicious activity - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

app.any.run

The only clickable link I saw in this pdf is a mail.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.

Confirmed also by many other in this thread.

I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install

One should never ever test possible malware direct on the main system. Use either a online sandbox service or use a VM ( virtual machine ).

There's a saying " Better Safe then Sorry ", but in this case and with more or less a majority of pdf files, known or unknown they are not direct malware that automatic will infect as soon they are opened/executed, but instead comes with phishing links or as I noted the last weeks in some Chinese pdf, QR codes. Pdf readers themselves has also been highly improved and comes with very good default security settings.

 

[struppigel]

Hello there,

I analysed this PDF. It does not contain any indicators of malicious code.

If you use pdfid.py to check for keywords, you will find 0 occurences for any of the auto execute or JavaScript streams:

Dynamic analysis does not show anything suspicious either.

The content of the PDF shows a fraud attempt:

The translation to English:

To sum it up: This is not a malware but a fraud.

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

ESET and Kaspersky detect it as hoax/fraud. This is not the same as a malware verdict.
Apart from malware verdicts there are a number of other verdicts or reasons that antivirus software detects files including potentially unwanted software and grayware. So a detection by an antivirus product does not mean a file is malware.

McAfee detects this file has Artemis!58DE4BECA067 which means this was picked up by their automation. Artemis is the name of one of their (heuristic) detection technologies.

 

[Chipicao]

It's a phishing PDF file. Won't do any harm to your system. But if you follow the instructions in it, you could put your money and personal information at risk. Depending on each vendor's policy, some may classify it as malware, while others won't. However, it would be inappropriate to say it is not malicious.

-------

Just received a response from Bitdefender stating the file is malicious and detection will be added. Users of G-Data will also be protected from this threat.

Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..

Hello there,

I analysed this PDF. It does not contain any indicators of malicious code.

If you use pdfid.py to check for keywords, you will find 0 occurences for any of the auto execute or JavaScript streams:

View attachment 272072

Dynamic analysis does not show anything suspicious either.

The content of the PDF shows a fraud attempt:

View attachment 272073

The translation to English:

View attachment 272074

To sum it up: This is not a malware but a fraud.



ESET and Kaspersky detect it as hoax/fraud. This is not the same as a malware verdict.
Apart from malware verdicts there are a number of other verdicts or reasons that antivirus software detects files including potentially unwanted software and grayware. So a detection by an antivirus product does not mean a file is malware.

McAfee detects this file has Artemis!58DE4BECA067 which means this was picked up by their automation. Artemis is the name of one of their (heuristic) detection technologies.

Sure I know is a fraud, but ESET detected as malicious, some users now reported that GData will add, I reported to them and they said that isn't malware. And now it is (the user contacted with him after me)

That file is a FAKE PDF from Police, I believe this is being infected many computers in Portugal. Why? Because it appeared in the news recent hacks etc.

 

[Freki123]

To sum it up: This is not a malware but a fraud.
ESET and Kaspersky detect it as hoax/fraud. This is not the same as a malware verdict.

+1
It's more like you write them back and then they scam you out of some money (for not pressing criminal charges).

 

[Anthony Qian]

Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..

Nobody said it is not a threat. Threat is a broader concept than malware, IMO. Kaspersky classifies it as Hoax, while ESET classifies it as Trojan (as shown in your screenshot).

As G-Data uses Bitdefender's engine, Bitdefender added a detection (Trojan.GenericKD.64991103 for this sample), so does G-Data. The malware detection policies differ from vendor to vendor, and it's normal that Bitdefender and G-Data might have different opinions about such a threat. This PDF sample does not drop files. The only malicious parts of it are misleading content and phishing email addresses.

CONVOCAÇÃO1.pdf (MD5: 58DE4BECA0676DF091B013E0AB75AD3C) - Interactive analysis - ANY.RUN -> What suspicious connection are you referring to? All connections appear to be initiated by Adobe PDF Reader and are safe.

 

[struppigel]

Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

I already explained this in more detail. An antivirus detection is not the same thing as a malware verdict. This PDF is a threat, there is no doubt. But not all threats are malware and not all threats need to be detected by antivirus products.

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..

I do not see anything suspicious. Everything I see on Any.run is typical behaviour for Adobe Reader opening a PDF.
Try a clean PDF, do the same, clicking on images etc, you should see similar behaviour in Any.run.

Also, where should this behaviour come from if there is no executable code inside the PDF? You can verify it yourself, I linked the tools page.

Sure I know is a fraud, but ESET detected as malicious, some users now reported that GData will add, I reported to them and they said that isn't malware. And now it is (the user contacted with him after me)

That is what I see on Virustotal currrently. ESET does not have a malware detection but a Fraud detection:

 

[Chipicao]

One should never ever test possible malware direct on the main system. Use either a online sandbox service or use a VM ( virtual machine ).

I didn't tested here, I just uploaded to virustotal to start detection and other services.

UPDATE: After reporting his old email to gmail, new email now is not with PDF but yes with .jpg..

now it's not a summons to the police, it's an arrest warrant. As ridiculous as this is, I know it's fake. But there are those who are scared.

This is being reported by Police as Scam, Fraud and probably Malware in last year (very very recently)

Source (Is in Portuguese, you will need to translate):​

Alerta contra phishing com email falso com logótipos da PJ e Europol.
Recebeu um e-mail da Polícia? Cuidado, pode ser falso

Ultimately Portugal was been target with those kind of things, many companies are being hacked from that emails. Don't doubt.
In that text there is no link, no website, always a document or image...

Of course this is a scam, but I believe they use other techniquies to inject malware, don't ask me where. But they aren't fool to sent this to all portuguese or at least mostly portuguese emails... They know that the probability of someone contacting them is below.

Like I said, this can or can't be malware but we never know, since I gave the sources...
Who wants to report? I can provide, there are many companies who I can report this to be added as fraud, scam or malware etc?

Fast Answer from Sophos... (of course probably their automatic system)

And this is interesting.. look at URLs...

Report Phishing, Malware and Suspicious URLs

report.netcraft.com

 

[upnorth]

Like I said, this can or can't be malware but we never know,

Beating a dead horse or try kicking alive a sample from 2022-10-07 is just pointless, and extra after a genuine professional Malware Analyst, @struppigel been kind enough and even took the time to manually check and thoroughly test the sample. As there's nothing extra actual relevant to add to this case/thread, I'll close it.