Mailing List Archive

ClamAV has detected Pdf.Phishing.CWS4c384287-9890237-0
Hi,

a detection of Pdf.Phishing.CWS4c384287-9890237-0 has been checked on
www.virustotal.com, see [1], and a report has been issued on the page

https://www.clamav.net/reports/fp

because only ClamAV has a detection in [1].

It would be great if someone could have a first look on that report. If
the file is really infected urgent actions under the GDPR with some
impact would be needed.

With best regards,

Andreas

[1]: See
https://www.virustotal.com/gui/file/d35e58f4654ce1c72c76693b8b3d29132bc7e5d9ed3219e0c16d1cbb309235a4

--


P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der
Standardisierung und IT-Lösungen in Ihrer Branche!
https://www.itek.de/aktuelles/newsletter

-----

ITEK Technologie Logo

ITEK Technologie GmbH
Technologiepark 14
33100 Paderborn

Tel. +49 5251 / 16140
Fax +49 5251 / 161499
www.itek.de
mailto: Andreas Rulle@itek.de

Geschäftsführer: Prof. Dr. Uwe Kern
Registergericht /-nummer: Paderborn / HRB 13522
Re: ClamAV has detected Pdf.Phishing.CWS4c384287-9890237-0 [ In reply to ]
The signature causing this FP alert has been dropped earlier today. This
should be reflected in the next signature definitions update.

Thanks for reporting the issue.

-Alain

On Fri, Sep 10, 2021 at 4:48 PM Andreas Rulle <andreas.rulle@itek.de> wrote:

> Hi,
>
> a detection of Pdf.Phishing.CWS4c384287-9890237-0 has been checked on
> www.virustotal.com, see [1], and a report has been issued on the page
>
> https://www.clamav.net/reports/fp
>
> because only ClamAV has a detection in [1].
>
> It would be great if someone could have a first look on that report. If
> the file is really infected urgent actions under the GDPR with some impact
> would be needed.
>
> With best regards,
>
> Andreas
>
> [1]: See
> https://www.virustotal.com/gui/file/d35e58f4654ce1c72c76693b8b3d29132bc7e5d9ed3219e0c16d1cbb309235a4
> --
>
>
> P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der
> Standardisierung und IT-Lösungen in Ihrer Branche!
> https://www.itek.de/aktuelles/newsletter
>
> -----
>
> [image: ITEK Technologie Logo]
>
> ITEK Technologie GmbH
> Technologiepark 14
> 33100 Paderborn
>
> Tel. +49 5251 / 16140
> Fax +49 5251 / 161499
> www.itek.de
> mailto: Andreas Rulle@itek.de
>
> Geschäftsführer: Prof. Dr. Uwe Kern
> Registergericht /-nummer: Paderborn / HRB 13522
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
Re: ClamAV has detected Pdf.Phishing.CWS4c384287-9890237-0 [ In reply to ]
Hello ClamAV-Team,

thank you that you have evaluated the reported file again, as it has
been announced in your email reply to the false positive report.

During the last security scan it has been marked as
Pdf.Malware.Agent-9892145-0, as it is now on virustotal.com, see [1].

The relations tab on virustotal shows that the following URL has been
contacted:

https://ardownload3.adobe.com/pub/adobe/reader/win/AcrobatDC/2100520060/AcroRdrDCUpd2100520060_MUI.msp
<https://www.virustotal.com/gui/url/7c4e67e54d907af04cc1d8acaa55d85a4a9576e6bb3bb7a8f593b805ee6853ae>

This URL seems point to the last Acrobat Reader download that includes a
security patch. No security vendors flagged this URL as malicious, see [2].

There are questions that we have at the moment. What is the best way to
explain to external partners why the file is a threat and what concrete
harm it can cause?

It would be really great if you could give us a hint to answer those
questions.

With best regards,

Andreas

[1]:
https://www.virustotal.com/gui/file/d35e58f4654ce1c72c76693b8b3d29132bc7e5d9ed3219e0c16d1cbb309235a4/

[2]:
https://www.virustotal.com/gui/url/7c4e67e54d907af04cc1d8acaa55d85a4a9576e6bb3bb7a8f593b805ee6853ae/detection


--
--