Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on June 24, 2015, 04:35:22 PM

Title: UrlMal-inf found in 4 infected PDF files.
Post by: REDACTED on June 24, 2015, 04:35:22 PM

Hi. An Avast boot scan found that four random PDF files were infected with UrlMal--inf on my Win 8.1 machine. I have run Malwarebytes, Spyhunter, and Spybot S&D which finds nothing. I have also run Malwarebytes in safemode. Is it possible to have random infected files but not an active trojan horse backdoor somewhere? The infected files in question were legit  PDFs of mine some even 3 years old which is definitely preinfection.

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: magna86 on June 24, 2015, 04:56:44 PM

Hello,

If these .pdf files are truthfully the pdf files, then detections is FP and may happens duo pdf's contents.
Porhaps the files contain url links that avast knows as malware or some part of the pdf code matching with avast's detections database.

Infected PDF as is does not does not exist in the world of known malware. Malware can't use pdf files for loading point. The contents of that PDF file is another story, still this is most likly FP.

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: REDACTED on June 24, 2015, 05:32:53 PM

That makes perfect sense. There are URLs in all of these PDFs that are consistently marked as infected by Avast. Sigh. Thanks for the help. Noteworthy is that I found a thread somewhere else that said to try HitmanPro which found the following which may have been a true problem. I have been experiencing intermittent problems with my Win 8.1 machine which could just be Win 8.1-isms or...ugh the new Frontier [I want my XP Pro back now!].
Malware _____________________________________________________________________

   C:\Users\Amy\Documents\Tranquility\setup.exe -> Quarantined
      Size . . . . . . . : 222,720 bytes
      Age  . . . . . . . : 69.7 days (2015-04-15 18:39:42)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 97AEF0D8D9AE706F6A65611D56F580337E75FC060E23509B3C95A89406D40DBD
    > G Data . . . . . . : Gen:Trojan.Heur.Hype.nuW@aaTvM4gi (Engine A)
      Fuzzy  . . . . . . : 106.0

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: magna86 on June 24, 2015, 07:09:31 PM

HitmanPro is good and nasty thing in security world, nor duo the nautre of his work, a lots of FP may happend.

Quote

Gen:Trojan.Heur.Hype.nuW@aaTvM4gi (Engine A)

If users understand the detection scope of HitManPro, this is powerfull tool for him. If not, it may lead to program damaging if user blindly allow tool to process (read as; delete) all detected files.

'Gen' stands for generetic and 'Heur' stands for Heuristic.
http://internet-security-suite-review.toptenreviews.com/premium-security-suites/what-is-heuristic-antivirus-detection-.html

Plus this is just installer and located in Documents\Tranquility directory.
It is unlikely that the malware uses exactly this location for loading executable file and called setup.  :)

Malware uses loading point (registry mostly) that loads malware file (executive file like .exe ...etc) and that file is system hidden.
Plus, malware weight is mostly 1mb, in very rare cases 2mb. setup.exe's weight is ~ 217mb.

I hope things are now clearer.

Tip of advice. Any known AntiVirus as avast! is highly recommended. For additional security software, you have two choices;
- Malwarebytes Anti Malware
- Emisoft Anti Malware

Everything else is a waste of HDD's space and RAM memory cache IMHO.

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: Milos on June 25, 2015, 05:35:57 PM

Hello,
send the PDFs through https://support.avast.com/ -> Avast Virus Lab

Thanks,
Milos

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: REDACTED on January 07, 2018, 02:41:41 PM

I would like to know there is a virus called "PDF.UrlMal-inf [Trj] " or not.
I use FireShot Pro to generate a PDF with link from the web page.
AVAST detects this and warns it is a virus.
Is it true a virus? or just a misjudgement?

Virus Name: PDF.UrlMal-inf [Trj]
PDF made by Fireshot Pro for Chrome v.0.98.93
Antivirus： AVAST Premier, 17.9.2322(build 17.9.3761.0)
Windows 10

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: Pondus on January 07, 2018, 08:00:14 PM

URL:Mal = Blacklisted URL or IP

PDF.UrlMal-inf [Trj] = PDF.doc containing clickable link to blacklisted URL

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: REDACTED on January 08, 2018, 11:53:06 AM

Would you please remove https://technews.tw from the blacklist?
I think the web site is not including virus.

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: Asyn on January 08, 2018, 11:59:52 AM

Quote from: Maxwell14 on January 08, 2018, 11:53:06 AM

Would you please remove hxxps://technews.tw from the blacklist?
I think the web site is not including virus.

-> https://sitecheck.sucuri.net/results/technews.tw/
-> https://zulu.zscaler.com/submission/ef136069-739d-44a1-a901-3429bdb9d3e6

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: Milos on January 08, 2018, 01:13:52 PM

Hello,
"technews.tw" is not in the blacklist. Send us the detected file using https://www.avast.com/false-positive-file-form.php

Milos

Title: Re: UrlMal-inf found in 4 infected PDF files.
Post by: polonus on January 08, 2018, 02:30:57 PM

Hi Maxwell14,

That is not an avast detection, you mention, but rather a general IDS alert (by Fortinet's etc.)
for a so-called potentially suspicious .tw domain, not specifying this domain actually is suspicious.

There is a remote chance and also know the IP has been shared by malcreants:
https://www.robtex.com/ip-lookup/52.84.64.12
but that is another problem for that hoster, cloudfront dot net, Wilmington, USA!
Re: https://www.robtex.com/ip-lookup/52.84.64.12

Interesting to know what Milos will find or not skimming over these PDF files you sent in  ;)

polonus