False Positive?

[notanotherdisplayname24get 0]

Hi,

Eset got all excited about about a file on my system when moving some old data around yesterday. Which, if it is a trojan threat, means I need to let a few others who will have downloaded the same file know. But... I rather suspect it's a false positive. Can anyone help please?

The file in question is one that I downloaded from a private forum (which I run, although I wasn't the one to create the file or upload it to the forum) and is an PDF document with rules of our organisation.

It's been on my system (and the forum - and presumably a sizeable subset of the forum's member's computers) for the last 18 months without any issue until yesterday.

Detection only gave me the option of deleting the file, so I cannot submit for analysis, but the malware allegedly found was PDF/Phishing.A.Gen trojan (see screenshot snippet attached below of the error message - this one from checking the forum where the original was held - forum webaddy obfuscated for reasons of confidentiality).

Now given the amount of time involved since the file was downloaded, and the fact that neither ESS9 nor malwarebytes finds anything else on my computer - nor has anyone else reported any issues - and the nature of the content of the file, it seems very unlikely that this is a real positive.

Before I start to worry all others who may be affected by this into wasting as much time as I have myself on something that I suspect isn't an issue, is there any way of confirming a) what a PDF/Phishing.A.Gen trojan is (it doesn't have a definition in the ESET threat database info - as far as I can see...) and b) if it really is an issue, or as I now suspect, just a false positive.

Many thanks in advance for your help.

Edited January 31, 2017 by notanotherdisplayname24get

[Marcos 4,706]

You can temporarily disable protection in order to submit the file to samples[at]eset.com.

[notanotherdisplayname24get 0]

Errm, except, as I said, the only option it gave me was delete. So as it initially seemed dangerous, that was all I could do. And so did!

Which means I don't have a copy of the file... Doh...

So I guess there's nothing I can do without that, other than....

...ask again what the Phishing.Gen.A threat is.

(I couldn't find it on the threat list on the Eset site. It doesn't seem high risk to me, but before I demote it to not worth worrying others (on the forum that held the file) about I'd really like to know a bit more about the threat to make a sensible decision on that. And there seems to be very little anywhere online about it.)

[itman 1,541]

It's probably this or a new variant of it: https://securelist.com/blog/phishing/71963/a-phishing-trampoline-embedding-redirects-in-pdf-documents/

Edited February 1, 2017 by itman

[notanotherdisplayname24get 0]

Many thanks for the suggestion itman.

But I suspect it isn't that. As the PDF was uploaded as a direct attachment to our forum for our members to then download. So no email links involved! Eset was querying the file itself not any link to it.

Has anyone got any info on what the PDF/Phishing.A.Gen threat is (particularly when it's not an email link to a file but the file itself)

[Marcos 4,706]

Where can I find that file?

[notanotherdisplayname24get 0]

Well that's part of the problem. Eset would only clean by deletion - so I have no copies left on my system. Am asking if a colleague still has a copy left on his system - if so I'll send to samples at eset

[notanotherdisplayname24get 0]

My colleague only has an older version of the file (and originally it was just a word file - sent in error to samples at - sorry - please ignore that one!). I'll see if any of my other colleagues has that particular one now I'm pretty sure it's a false positive and send if I can get them to send it to me (assuming eset will allow it to be forwarded...)

[Marcos 4,706]

Before cleaning / deleting a detected file, a copy of the original file is put to quarantine. Do you have your ESET quarantine empty and therefore it's not possible to restore the file?

[notanotherdisplayname24get 0]

Quarantine so well hidden, and the fact that it said deleted rather than quarantined made me think there was nothing left on my computer! But found - and submitted. Thanks - can you let me know if it is a false positive please.

[Marcos 4,706]

Even if the alert says "Cleaned by deleting", a copy of the original file is put to quarantine. I can't find the file in our ticketing system with samples sent to samples[at]eset.com. Please send it to me via a personal message.

[itman 1,541]

Also the variant current floating around the web is described here: http://www.komando.com/happening-now/386081/beware-of-these-new-pdf-phishing-scams

[notanotherdisplayname24get 0]

Marcus - can't find a way of extracting it from quarantine to send - other than right clicking and send for analysis, which I did, but from your previous msg seems not to have reached your system? Any suggestions on how to send via PM - sorry if I'm being dim here!

itman - thanks, but as I said, the file didn't come via email. It was downloaded from a totally legit source (a private forum with only a few members within the board it was posted to) and is an internal PDF document that was created by one of those few forum members. Only they should have access to it, so defo not a phishing email!

[notanotherdisplayname24get 0]

Marcus - Have tried resending from quarantine as can't see any way of getting it to stay outside quarantine long enough to send as a PM before eset puts it back into quarantine. Hopefully will be in your ticketing queue by tomorrow.

[notanotherdisplayname24get 0]

Marcus - was there any news on whether this was a false positive or not? (Did you even get the file in the end?)

[Marcos 4,706]

Let's drop me a pm with the download link so that I can download the pdf file myself.

[Bert van Wijk 0]

Exact same problem here. Send my file from the quarantine to the viruslab. Waiting for reply.

[Marcos 4,706]

2 hours ago, Bert van Wijk said:

Exact same problem here. Send my file from the quarantine to the viruslab. Waiting for reply.

How did you submit the file to ESET? I was unable to find any pdf that has been submitted recently.

[Bert van Wijk 0]

Hi Marcos,

See attachment. That's how I send the document from quarantine. It is a Word document by the way, which I cannot convert to PDF because of the PDF/Phishing.A.Gen problem

Regards, Bert

Eset.zip

[Marcos 4,706]

Please report it again as per the instructions at http://support.eset.com/kb141. Please report it again per the instructions at http://support.eset.com/kb141.

[notanotherdisplayname24get 0]

Hi Marcus - just found another copy of my original file and managed to get Eset to ignore the path it was in so I could zip it up. Sent via PM as originally requested. Hopefully you can now tell me for sure it's a false positive!

[jonfr 0]

I just saw this forum after searching for topics on this Virus ( PDF/Phishing.A.Gen trojan ).  Got two alerts (one a few weeks before the other)regarding it and scanned (multiple scanning engines) with no results.  Looked in the indicated location and nothing was found.  Go another alert two days after the last alert.

This time we discovered that in the Windows/temp folder pdf files with similar names are being generated and deleted in about second (not enough time to scan them -  have a video of this process).  We also discovered that if Outlook is closed the auto-generation stops.  I tried removing Office and re-installing it, but this did not work.  I ended up having to rebuild the system.