Author Topic: UrlMal-inf found in 4 infected PDF files.  (Read 22851 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
UrlMal-inf found in 4 infected PDF files.
« on: June 24, 2015, 04:35:22 PM »
Hi. An Avast boot scan found that four random PDF files were infected with UrlMal--inf on my Win 8.1 machine. I have run Malwarebytes, Spyhunter, and Spybot S&D which finds nothing. I have also run Malwarebytes in safemode. Is it possible to have random infected files but not an active trojan horse backdoor somewhere? The infected files in question were legit  PDFs of mine some even 3 years old which is definitely preinfection.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #1 on: June 24, 2015, 04:56:44 PM »
Hello,

If these .pdf files are truthfully the pdf files, then detections is FP and may happens duo pdf's contents.
Porhaps the files contain url links that avast knows as malware or some part of the pdf code matching with avast's detections database.

Infected PDF as is does not does not exist in the world of known malware. Malware can't use pdf files for loading point. The contents of that PDF file is another story, still this is most likly FP.
« Last Edit: June 24, 2015, 04:58:22 PM by magna86 »

REDACTED

  • Guest
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #2 on: June 24, 2015, 05:32:53 PM »
That makes perfect sense. There are URLs in all of these PDFs that are consistently marked as infected by Avast. Sigh. Thanks for the help. Noteworthy is that I found a thread somewhere else that said to try HitmanPro which found the following which may have been a true problem. I have been experiencing intermittent problems with my Win 8.1 machine which could just be Win 8.1-isms or...ugh the new Frontier [I want my XP Pro back now!].
Malware _____________________________________________________________________

   C:\Users\Amy\Documents\Tranquility\setup.exe -> Quarantined
      Size . . . . . . . : 222,720 bytes
      Age  . . . . . . . : 69.7 days (2015-04-15 18:39:42)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 97AEF0D8D9AE706F6A65611D56F580337E75FC060E23509B3C95A89406D40DBD
    > G Data . . . . . . : Gen:Trojan.Heur.Hype.nuW@aaTvM4gi (Engine A)
      Fuzzy  . . . . . . : 106.0

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #3 on: June 24, 2015, 07:09:31 PM »
HitmanPro is good and nasty thing in security world, nor duo the nautre of his work, a lots of FP may happend.
Quote
Gen:Trojan.Heur.Hype.nuW@aaTvM4gi (Engine A)

If users understand the detection scope of HitManPro, this is powerfull tool for him. If not, it may lead to program damaging if user blindly allow tool to process (read as; delete) all detected files.

'Gen' stands for generetic and 'Heur' stands for Heuristic.
http://internet-security-suite-review.toptenreviews.com/premium-security-suites/what-is-heuristic-antivirus-detection-.html

Plus this is just installer and located in Documents\Tranquility directory.
It is unlikely that the malware uses exactly this location for loading executable file and called setup.  :)

Malware uses loading point (registry mostly) that loads malware file (executive file like .exe ...etc) and that file is system hidden.
Plus, malware weight is mostly 1mb, in very rare cases 2mb. setup.exe's weight is ~ 217mb.

I hope things are now clearer.

Tip of advice. Any known AntiVirus as avast! is highly recommended. For additional security software, you have two choices;
- Malwarebytes Anti Malware
- Emisoft Anti Malware

Everything else is a waste of HDD's space and RAM memory cache IMHO.
« Last Edit: June 24, 2015, 07:14:02 PM by magna86 »

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #4 on: June 25, 2015, 05:35:57 PM »
Hello,
send the PDFs through https://support.avast.com/ -> Avast Virus Lab

Thanks,
Milos

REDACTED

  • Guest
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #5 on: January 07, 2018, 02:41:41 PM »
I would like to know there is a virus called "PDF.UrlMal-inf [Trj] " or not.
I use FireShot Pro to generate a PDF with link from the web page.
AVAST detects this and warns it is a virus.
Is it true a virus? or just a misjudgement?

Virus Name: PDF.UrlMal-inf [Trj]
PDF made by Fireshot Pro for Chrome v.0.98.93
Antivirus: AVAST Premier, 17.9.2322(build 17.9.3761.0)
Windows 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #6 on: January 07, 2018, 08:00:14 PM »
URL:Mal = Blacklisted URL or IP

PDF.UrlMal-inf [Trj] = PDF.doc containing clickable link to blacklisted URL


REDACTED

  • Guest
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #7 on: January 08, 2018, 11:53:06 AM »
Would you please remove https://technews.tw from the blacklist?
I think the web site is not including virus.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #8 on: January 08, 2018, 11:59:52 AM »
Would you please remove hxxps://technews.tw from the blacklist?
I think the web site is not including virus.
-> https://sitecheck.sucuri.net/results/technews.tw/
-> https://zulu.zscaler.com/submission/ef136069-739d-44a1-a901-3429bdb9d3e6

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #9 on: January 08, 2018, 01:13:52 PM »
Hello,
"technews.tw" is not in the blacklist. Send us the detected file using https://www.avast.com/false-positive-file-form.php

Milos

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: UrlMal-inf found in 4 infected PDF files.
« Reply #10 on: January 08, 2018, 02:30:57 PM »
Hi Maxwell14,

That is not an avast detection, you mention, but rather a general IDS alert (by Fortinet's etc.)
for a so-called potentially suspicious .tw domain, not specifying this domain actually is suspicious.

There is a remote chance and also know the IP has been shared by malcreants:
https://www.robtex.com/ip-lookup/52.84.64.12
but that is another problem for that hoster, cloudfront dot net, Wilmington, USA!
Re: https://www.robtex.com/ip-lookup/52.84.64.12

Interesting to know what Milos will find or not skimming over these PDF files you sent in  ;)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!