Malware Analysis Suspicious Malware under PDF

Status
Not open for further replies.

Chipicao

Level 2
Thread author
May 17, 2020
88
Hello,

I received a email from @gmail.com, I noticed that is a Malware or Spoofed .pdf file extension or anything like that.

The most crazy thing, is in that email doesn't have any link or website to click just the file.
What I did? Well, I downloaded but I didn't open it. Firefox opened .pdf (that is my fault, but by default firefox should ask before opening).

My intention was to check for malware and verify. Since there is not message or link in email.

What happened? Firefox open .PDF alone without asking permission and it infected by computer I suppose.
Why I tell that? My Windows Firewall by Binisoft was creating new connections.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.

Now let's go the craziest thing:
I sent this to ESET, GData, Microsoft Sample Threat, Emsisoft, BitDefender and some more (except sophos I forgot).

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?

1673617908882.png



I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install ;)
 
Last edited by a moderator:

Chipicao

Level 2
Thread author
May 17, 2020
88
That PDF does not seem to be malware, fraud because the topic text inside? Probably, but I can't find any malicious link inside...
Where I can send the email headers safely? Looks like also spoofed email with other gmail address.
But I don't see any link.

I noticed that some images inside the .pdf have "clicks" and files being dropped.. at least from my VM.
What I can do more to help?
 
  • Like
Reactions: Nevi and Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,595
Hello,

I received a email from @gmail.com, I noticed that is a Malware or Spoofed .pdf file extension or anything like that.

The most crazy thing, is in that email doesn't have any link or website to click just the file.
What I did? Well, I downloaded but I didn't open it. Firefox opened .pdf (that is my fault, but by default firefox should ask before opening).

My intention was to check for malware and verify. Since there is not message or link in email.

What happened? Firefox open .PDF alone without asking permission and it infected by computer I suppose.
Why I tell that? My Windows Firewall by Binisoft was creating new connections.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.

Now let's go the craziest thing:
I sent this to ESET, GData, Microsoft Sample Threat, Emsisoft, BitDefender and some more (except sophos I forgot).

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?

View attachment 272023


I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install ;)
Just in case: Always disable pdfjs.enableScripting in Firefox about:config. So set the value to: pdfjs.enable.Scripting --> false.

 

Chipicao

Level 2
Thread author
May 17, 2020
88
The only clickable link there is a mailto to that email address...



Not here 🤔
The more strange thing is after firefox opened that I can't ping or traceroute.

Always give this (and yes is a fresh windows install ISO from Microsoft) all disks have been formatted.

Example (no matter which host, ip always appears that)
C:\Users\user>ping google.com

Pinging google.com [142.250.31.113] with 32 bytes of data:
General failure.
General failure.
General failure.
General failure.

I follow many guides in internet, specially CMD commands like netsh reset, ipconfig /flushdns and disabling ipv6 over ipv4 didn't work.
Changed DNS didn't work also..

By the way, I tried to check port 80 from my IP in many websites and says port 80 is closed but i can still accessing internet...
Tested in other 2 computers and ping, traceroute are fully working.

Resetting everything and looks like this.. (yes all options have been selected, but the red ones looks like there is a issue in my computer..)
1673640018077.png


This happened after opening that .pdf file, I didn't touched in any malware or download from unknown source, friend etc!

I do believe probably that malware was spread to my USB lol.
 
Last edited:
  • Like
Reactions: harlan4096

CyberDevil

Level 8
Verified
Well-known
Apr 4, 2021
397
Static:
VirScan - 多引擎文件在线检测平台 - clean
PolySwarm - Crowdsourced threat detection - clean
CONVOCAÇÃO1.pdf - Jotti's malware scan - clean
https://metadefender.opswat.com/results/file/bzIzMDExM183TVF6bHVfZHlyUWlEdXJFYUU/regular/overview - clean

Dynamic:
Kaspersky Threat Intelligence Portal - clean
Free Automated Malware Analysis Service - powered by Falcon Sandbox - clean
Национальный Мультисканер - clean (it is clearly visible that nothing works in the system except for running Acrobat Reader)

I do not believe that it is a virus :D
However, I do not have a virtual machine on my laptop to play with the file myself. :(
 
  • Like
Reactions: Trident

zkSnark

Level 5
Verified
Well-known
Jan 13, 2019
207
So folks, who wants to analyze this PDF and sents to antivirus engines or other antimalware / anti-virus solutions? To prevent that prevent to others?
Where I can post the malware to be analyzed and who knows anyone with their own software to be able to detect and remove?
@Shadowra ;)
 

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
It's a phishing PDF file. Won't do any harm to your system. But if you follow the instructions in it, you could put your money and personal information at risk. Depending on each vendor's policy, some may classify it as malware, while others won't. However, it would be inappropriate to say it is not malicious.

-------

Just received a response from Bitdefender stating the file is malicious and detection will be added. Users of G-Data will also be protected from this threat.

The analysis of the file has been completed:
The file is malicious and detection will be added in the next couple of updates.
 
Last edited:

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Where I can post the malware to be analyzed
2023-01-14_06-54-18.jpg

VT link added in OPs first post.
First Submission 2022-10-07

The only clickable link I saw in this pdf is a mail.

I upload to Virustotal, Hybrid-Analysis no one was detected as malware.
Confirmed also by many other in this thread.

I think my computer is safe, I did a reinstall of Windows (formatting all disks), fresh install ;)
One should never ever test possible malware direct on the main system. Use either a online sandbox service or use a VM ( virtual machine ).

There's a saying " Better Safe then Sorry ", but in this case and with more or less a majority of pdf files, known or unknown they are not direct malware that automatic will infect as soon they are opened/executed, but instead comes with phishing links or as I noted the last weeks in some Chinese pdf, QR codes. Pdf readers themselves has also been highly improved and comes with very good default security settings.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Hello there,

I analysed this PDF. It does not contain any indicators of malicious code.

If you use pdfid.py to check for keywords, you will find 0 occurences for any of the auto execute or JavaScript streams:

pdfid.png


Dynamic analysis does not show anything suspicious either.

The content of the PDF shows a fraud attempt:

contentpdf.png


The translation to English:

translation.png


To sum it up: This is not a malware but a fraud.

I received the answer from GData, Microsoft Threat they said there is no malware! That is crazy i think they just click right and "scan" I think is not a human manual scan or review.
The only who detected this as a trojan was ESET! Only this antivirus detected as trojan. The others said isn't malware, but the thing is! He drops and does some strange things.

This malware is being sent to many people! I believe is a big malware that isn't being detected by anti-malware / antivirus company.
Only ESET added them to their database.

ESET and Kaspersky detect it as hoax/fraud. This is not the same as a malware verdict.
Apart from malware verdicts there are a number of other verdicts or reasons that antivirus software detects files including potentially unwanted software and grayware. So a detection by an antivirus product does not mean a file is malware.

McAfee detects this file has Artemis!58DE4BECA067 which means this was picked up by their automation. Artemis is the name of one of their (heuristic) detection technologies.
 
Last edited:

Chipicao

Level 2
Thread author
May 17, 2020
88
It's a phishing PDF file. Won't do any harm to your system. But if you follow the instructions in it, you could put your money and personal information at risk. Depending on each vendor's policy, some may classify it as malware, while others won't. However, it would be inappropriate to say it is not malicious.

-------

Just received a response from Bitdefender stating the file is malicious and detection will be added. Users of G-Data will also be protected from this threat.
Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..

Hello there,

I analysed this PDF. It does not contain any indicators of malicious code.

If you use pdfid.py to check for keywords, you will find 0 occurences for any of the auto execute or JavaScript streams:

View attachment 272072

Dynamic analysis does not show anything suspicious either.

The content of the PDF shows a fraud attempt:

View attachment 272073

The translation to English:

View attachment 272074

To sum it up: This is not a malware but a fraud.



ESET and Kaspersky detect it as hoax/fraud. This is not the same as a malware verdict.
Apart from malware verdicts there are a number of other verdicts or reasons that antivirus software detects files including potentially unwanted software and grayware. So a detection by an antivirus product does not mean a file is malware.

McAfee detects this file has Artemis!58DE4BECA067 which means this was picked up by their automation. Artemis is the name of one of their (heuristic) detection technologies.

Sure I know is a fraud, but ESET detected as malicious, some users now reported that GData will add, I reported to them and they said that isn't malware. And now it is (the user contacted with him after me)

That file is a FAKE PDF from Police, I believe this is being infected many computers in Portugal. Why? Because it appeared in the news recent hacks etc.
 
Last edited:

Anthony Qian

Level 10
Verified
Well-known
Apr 17, 2021
454
Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..
Nobody said it is not a threat. Threat is a broader concept than malware, IMO. Kaspersky classifies it as Hoax, while ESET classifies it as Trojan (as shown in your screenshot).

As G-Data uses Bitdefender's engine, Bitdefender added a detection (Trojan.GenericKD.64991103 for this sample), so does G-Data. The malware detection policies differ from vendor to vendor, and it's normal that Bitdefender and G-Data might have different opinions about such a threat. This PDF sample does not drop files. The only malicious parts of it are misleading content and phishing email addresses.

CONVOCAÇÃO1.pdf (MD5: 58DE4BECA0676DF091B013E0AB75AD3C) - Interactive analysis - ANY.RUN -> What suspicious connection are you referring to? All connections appear to be initiated by Adobe PDF Reader and are safe.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Then if is a threat why some people are saying that isn't? GData told me in previous email that isn't malware and now is?
Like I said... I saw strange connections and dropped files... probably new method..

I already explained this in more detail. An antivirus detection is not the same thing as a malware verdict. This PDF is a threat, there is no doubt. But not all threats are malware and not all threats need to be detected by antivirus products.

Any.run (you can see suspicious activity and interzer malware)
You open the pdf in any.run and click in images in PDF left and right and see..

I do not see anything suspicious. Everything I see on Any.run is typical behaviour for Adobe Reader opening a PDF.
Try a clean PDF, do the same, clicking on images etc, you should see similar behaviour in Any.run.

Also, where should this behaviour come from if there is no executable code inside the PDF? You can verify it yourself, I linked the tools page.

Sure I know is a fraud, but ESET detected as malicious, some users now reported that GData will add, I reported to them and they said that isn't malware. And now it is (the user contacted with him after me)

That is what I see on Virustotal currrently. ESET does not have a malware detection but a Fraud detection:

vt.png
 

Chipicao

Level 2
Thread author
May 17, 2020
88
One should never ever test possible malware direct on the main system. Use either a online sandbox service or use a VM ( virtual machine ).
I didn't tested here, I just uploaded to virustotal to start detection and other services.

UPDATE: After reporting his old email to gmail, new email now is not with PDF but yes with .jpg..

1673901590176.png


now it's not a summons to the police, it's an arrest warrant. As ridiculous as this is, I know it's fake. But there are those who are scared.

This is being reported by Police as Scam, Fraud and probably Malware in last year (very very recently)

Source (Is in Portuguese, you will need to translate):​

Alerta contra phishing com email falso com logótipos da PJ e Europol.
Recebeu um e-mail da Polícia? Cuidado, pode ser falso

Ultimately Portugal was been target with those kind of things, many companies are being hacked from that emails. Don't doubt.
In that text there is no link, no website, always a document or image...

Of course this is a scam, but I believe they use other techniquies to inject malware, don't ask me where. But they aren't fool to sent this to all portuguese or at least mostly portuguese emails... They know that the probability of someone contacting them is below.

Like I said, this can or can't be malware but we never know, since I gave the sources...
Who wants to report? I can provide, there are many companies who I can report this to be added as fraud, scam or malware etc?

Fast Answer from Sophos... (of course probably their automatic system)

1673902298408.png



And this is interesting.. look at URLs...

 
  • Like
Reactions: Divine_Barakah

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Like I said, this can or can't be malware but we never know,
Beating a dead horse or try kicking alive a sample from 2022-10-07 is just pointless, and extra after a genuine professional Malware Analyst, @struppigel been kind enough and even took the time to manually check and thoroughly test the sample. As there's nothing extra actual relevant to add to this case/thread, I'll close it.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top