Undetected PDF threat?

[Michael824]

Hi. I downloaded and opened an unknown PDF in Acrobat on my MacBook that contains phishing and trojan code.  (Unfortunately I opened it in the non-sandboxed full version of Acrobat).

While I did not click on any of the links in the PDF, as I noticed it was clearly a phishing attempt, I was unaware simply opening it could run javasacript and compromise my Mac.

I don't know if it did compromise my mac, but yesterday I uploaded the PDF to VirusTotal and 4 of the 62 vendors detected it as phishing.  Today, 11 of the 62 vendors now detected it, both as phishing and trojan.  In VirusTotal's sandbox, it clearly is adding/deleting/dropping files.

The Sandbox that runs on VirusTotal may only be running in a Windows environment though - as that appeared to be the file structure. I don't think VirusTotal's sandboxes would mimic loading that pdf in a non-sandboxed Acrobat on a mac.

Here is the file reference on VirusTotal:

3dc8aea3ed93ae9a5d820851542c84e409b16ade7956983424d8f46206172655


The PDF file is now only in my "trash". I purchased and ran an Avast scan on my Macbook just now, and it did not detect any malware issues (or that virus file).  I'm concerned it may not be catching potential changes it made to my system and a planted trojan - since this may be a new threat.

EDITED: I did just send the pdf file to Avast as a false negative so they can add it to their definitions, as well as determine if it is leaving malware or trojan code on macs.  Hopefully they will do this, as I don't know what their process/policy is.

Thank you

[Pondus]

EDITED: I did just send the pdf file to Avast as a false positive so they can add it to their definitions,

you mean false negative?   https://www.avast.com/submit-a-sample

False positive = clean file detected as malware

False negative = Malware file not detected

Anyway it is detected by avast on VT now
https://www.virustotal.com/gui/file/3dc8aea3ed93ae9a5d820851542c84e409b16ade7956983424d8f46206172655?nocache=1

[Pondus]

The PDF file is now only in my "trash". I purchased and ran an Avast scan on my Macbook just now, and it did not detect any malware issues (or that virus file).

Does avast scan the trash folder?  I dont know as i dont use avast

[Michael824]

Thank you for the reply!

1. Yes - I meant false negative. I corrected it.

2. I do see it is now detecting it on VT, however if I right click on that pdf on my computer (in my downloads folder), it says No Threads Found. My Avast is updated as of a minute ago.

3. I'm mostly concerned about any trojan/malware it may have left on my mac. I'm hoping that the scripts were only written for Windows.  How would I check that, as I am relying on Avast right now to see if there are any traces - but since it says the file is fine - maybe it means there is no threat on a mac?

[Pondus]

3. I'm mostly concerned about any trojan/malware it may have left on my mac. I'm hoping that the scripts were only written for Windows.  How would I check that, as I am relying on Avast right now to see if there are any traces - but since it says the file is fine - maybe it means there is no threat on a mac?

There is no malware help and log check to get in this forum any more, all experts has left the building

I recomend Malwarebytes forum   https://forums.malwarebytes.com/   they have a Mac section https://forums.malwarebytes.com/forum/165-mac-malware-removal-help-support/


alternative bleepingcomputer https://www.bleepingcomputer.com/ or Geeks to Go https://www.geekstogo.com/forum/

[polonus]

The PDF malcode dates back to 2022.

Further info says (AI supported):

The report indicates that the file is a PDF exploit kit (EK) used to deliver malware.
Specifically, it is detected as a type of PDF exploit kit known as "LunchDrop" or "LunchDrop SKM",
which is a family of PDF exploits that target vulnerabilities in Adobe Acrobat and Adobe Reader.

The file is dated back to 2022, with the earliest detection being reported on February 16, 2022.
However, it's likely that the file was created earlier and was distributed through various channels.
including email spam, phishing campaigns, or drive-by downloads.

The malware is designed to exploit vulnerabilities in Adobe Acrobat
and Adobe Reader to execute arbitrary code on the victim's system.
The malware can lead to the installation of additional malware.
including ransomware, trojans, and other types of threats.

It's essential to note that the file is not a legitimate PDF document and should be treated as malicious.
If you have opened or downloaded this file, it's recommended to immediately disconnect from the internet, update your antivirus software, and run a full scan of your system to detect and remove any potential malware infections. (See the sites with qualified malware removers that Pondus mentioned to you, which may help you remove the malware under guidance.). (Remember, such a routine is strictly personal and not a general routine.).

Remember to always exercise caution when opening or downloading files from unknown sources.
especially if they are in PDF format. It's also crucial to keep your software
and operating system up-to-date with the latest security patches and updates.

polonus

[Pondus]

The file is dated back to 2022, with the earliest detection being reported on February 16, 2022.

VT History
First Submission
2024-07-10 00:24:19 UTC
Last Submission
2024-07-10 15:58:31 UTC
Last Analysis
2024-07-10 21:16:09 UTC

[polonus]

What we call that at VT? It is water under the bridge?  not significant anymore).

Hi Pondus, Thanks for coming up with the data to prove this.

pol