False Positive on a PDF File

[REDACTED]

Hey, it's seems that you have a false positive on this file:
www.digitalwhisper.co.il/files/Zines/0x08/DW8-3-OpenSource.pdf

This is the results on VirusTotal:
https://www.virustotal.com/en/file/73ba703c6676eeb5cf11ee9172298b09adfe70ab7939ebdca9e2138c0e6dd503/analysis/1440359749/

you are the only AV that mark this file as a virus "PDF:UrlMal-inf [Trj]".

it will be nice if you will be able to check it. Thanks!

Also, I have the original DOC file that made this PDF if you want to try it in your labs.

[Asyn]

You can report a possible FP here: https://www.avast.com/contact-us.php?subject=VIRUS-FILE

[polonus]

Hi DigitalWhisper,

Seems fine: see -> -http://zulu.zscaler.com/submission/show/f2dc91ed752503b8e15068dc42c4ed33-1440362315
and  -> -http://urlquery.net/report.php?id=1440362459166
2007 word document saved as pdf mistaken as being malformed might have produced a FP!
See: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.digitalwhisper.co.il%2Ffiles%2FZines%2F0x08%2FDW8-3-OpenSource.pdf
Jokingly I could say there is "the right amount of tomato-sauce in the ketchup"     
so a false positive!
But you have to wait for an Avast team member to no longer flag it,
as we here are only volunteers with some relevant knowledge

polonus

[Pondus]

Does the pdf.doc contain a URL ? ... a blacklisted URL

[polonus]

Hi Pondus,

I do not see that or it must be obfuscated, it should be scanned with Milano.
There were instances of Avast flagging PDFs earlier that were FP.
Interesting here: -https://archive.hackerspace.org.il/Magazines/he/DigitalWhisper/Seperated/0008/
Is that what you were aiming at.
Here Avast does not flag: https://www.virustotal.com/nl/file/81cab78a692d660eafb37711d4a75b0d1559f3a0dc92c9c78f4d529fd2f23f10/analysis/1440367603/ Technology Papers.

pol

[Pondus]

I do not see that or it must be obfuscated,

have you looked in the pdf.doc?



you did a urlQuery scan of the downbload link ... did you click the picture and read the info   

Forbidden

You don't have permission to access /files/Zines/0x08/DW8-3-OpenSource.pdf on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

so we can not download the pdf.doc and inspect it .... i have tried
and since the detection show on his scan of the pdf.doc on VT i assume the problem is in the pdf.doc and not the download URL .... or am i wrong?

[polonus]

Hi Pondus,

You could do the same if you look here: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.digitalwhisper.co.il%2Ffiles%2FZines%2F0x08%2FDW8-3-OpenSource.pdf
Only link: 90.806 509.03 281.18 523.58 but is that an IP?

polonus

[REDACTED]

Hey, I'm sorry about the "Access Denied", it's our hosting ACLs.

I uploaded the file to tinyupload (if you have an Avast installed - it will notify you when you start to download it...):

http://s000.tinyupload.com/index.php?file_id=66693826811951834247

[polonus]

Avast alerts a link to -http://www.oriidan.info/article/thoughts as with URL:Mal, general detection.
This not flagged: https://www.virustotal.com/nl/url/5dd45c1404378d2a57229849a2e82c3a8821a707fdca4157869841c869717b4f/analysis/1440400237/

polonus

[HonzaZ]

Exactly as polonus said: we block oriidan.info, and the PDF contains a link to oriidan.info. The domain was blocked due to DNS hijack - change DNS hosting, let me know and I will unblock it ;-)