Specificially https://en.z-lib.gs/
I downloaded some pdfs from there and according to virustotal and some pdf online scanner i tried, they have something possibly malicious going on in them. I already deleted them but i opened them in firefox pdf reader. I dont have acrobat installed.
Scanning my system with malwarebytes now, but nothing is finding anything wrong and I havent seen any suspicious activity.
Here is the analysis itself.
I’m starting to panic, please help if you have any advice
Thank you all, you are wonderful people
Just for future highly recommend to use this for future PDFs https://github.com/freedomofpress/dangerzone
Is this in the megathread? If not, it should be.
Adding this as the second app alrey this year that I’ll install simply based on the name alone (only drams being the other).
None of the activity looks hugely out of place for opening a pdf. My advice would be to take a known safe pdf, upload that to virustotal and compare the activity results and see how different they are if at all.
There might be differences based on pdf content so best to try and find a similar pdf (images, urls, etc)
This was good advice. I did that with another pdf and it does look similar.
That virultotal report looks completely fine to me, including the behavior tab.
Regardless, imagine what would happen if the firefox pdf reader was vulnerable to a well-known attack (of course there probably exist 0 days but they wouldn’t be burned on you). Any attacker could simply link you a PDF and you’d be infected simply for clicking the link? If this was true, people would stop using firefox because it would be insecure.
I have downloaded hundreds of documents from Z-library and LibraryGenesis and never had an issue with a single one of them.
That virus total scan shows free and clear, it has some warnings about there being external links inside the doc afaik (VT very broken on mobile so i can’t understand the report well), but that’s really fringe edge stuff to actually be “dangerous”. You’re over-awfulizing the danger.
If it is new malware, scanners wouldnt pick up on it.
On behavior tab there is tons of stuff. Shouldnt there be none? I dont know too much about virustotals results mean, but doesnt the mitre thing mean it could potentially do something like that?If it is new malware, scanners wouldnt pick up on it.
Actually they do often pick up on it, unless it is a very novel attack vector (and probably not something you’d find on a pirate site). Malware often follows very predictable code execution patterns of communicating with outside IP’S and modifying other executables, and these are things that can be detected by most AV.
On behavior tab there is tons of stuff. Shouldnt there be none?
There will never be none. it’s all listed as low or no risk/informational only anyway, which goes back to the pattern recognition thing.
VT is listing things that the file has done during viewing. ALL things. This stuff might or might not be a concern, whether or not it’s a known attack or pattern of malicious behavior. If you are a legit security analyst you can use the behavior data to see what files its touching and stuff and understand good and bad security design. Like, the only actual yellow warning is… it apparently looked at Google dns. Which is something any browser pdf viewer will do.
Oh. The other thing I forgot to mention, is every submission to Z-Lib goes through an approval process where a certain number of community contributors have to review the document and make sure it’s legible, safe, and valid. I know, because I’ve submitted stuff before, it takes quite a few days to go live. It’s not just random bad actors shotgunning stuff onto the site.
thank you, that puts my mind at ease somewhat
The only way to be 100% sure is to wipe the machine. If its a business machine it should be wiped asap.
Correct me if I’m wrong, but that virustotal link gives a summary of: “No security vendors flagged this file as malicious”
So Virustotal did not find and malware or viruses?! The files should be perfectly fine to use.
Check the behavior tab
I think these tabs are meant for experts who know how to interpret a full log. Seems to me like Virostotal uses Acrobat Reader or something to open the files. I’m not an expert on what Acrobat is supposed to do once it runs. Sure, it’s going to do some system calls as every software does. And there is something with internet URLs. Could be some phishink link detection or URL prefetching, that is either part of Acrobat or Virustotal? And Acrobat Reader seems to be calling home to check for updates. That triggers the “low” IDS rule. Everything else is pretty much “NOT FOUND” or “INFO” and tells the story of how Acrobat Reader operates. None of it is flagged or indicated in red text.
I’d treat those PDFs like any other one. Don’t just click on any random link in them, and if the PDF contains a form, don’t enter your private details and submit them unless you’ve verified where that form sends them to. But I doubt that’s happening here.
The first rule of dealing with malware and exploits, don’t panic, you’ll make things worse, the second rule is, isolate the machine from your other machines ( so make sure it doesn’t communicate with anything, Bluetooth, Hotspots, and obviously the Internet ), thirdly, boot into safe mode with networking off, and delete the files… check the event viewer, check the task manager, check the installed apps, check for hidden files in the C directory, check for installed Extensions in your browser, if anything seem unusual, revert the changes, by restoring to a previous restore point ( you do have a restore point set right ? )
If the problem ( the change that has been done by the malware ) doesn’t go away, it’s time to backup your data to an external drive, and reimage the machine
Edit : don’t blindly trust files from Z Lib, some uploaders are evil, unfortunately… If the file seem bigger than it should be then it’s shady, also read the reviews, as far as opening PDFs in Firefox goes, Firefox PDF viewer is secure as far as I know, the last major vulnerability was in 2015
I’m not sure what to look for if there is something hidden. I cant tell if there are any odd processes but everything seems to be signed correctly. There is nothing odd in C root either and i wouldnt know what to look for from the folders. There are no odd installed applications either.
I have had similar scare before when I installed a game I downloaded from skidrow reloaded website.(over year ago) The installer did something with cmd window, something about system image, i dont remember anymore. The file was also too big for scanner to scan and I dont think virustotal accepted it either due to size. However, I did system restore after that.
I also asked an acquittance who works in some tech company to help, even showed the install process to him, but he said it didnt seem dangerous. I have also been running r-kill occasionally and doing scans with hitmanpro’s early detection but they havent found anything either. I have also been occasionally monitoring things with tools from sysinternals but I’m not sure if i would even notice if anything was odd.
The link to Z-Library itself is one of the legitimate ones from what I know so I wouldn’t worry on that side too much.
PDFs have a few exploits that could infect a system. However they are rare and not efficient especially if the intent is to infect as much machines as possible.
If you don’t have much technical knowledge to analyze the files yourself, I would recommend you open the PDFs in Virtual Machines without any acess to the internet or opening the files only when you have disconected your device from any acess to the internet.
Tools like the one mentionned by someone else in the comments would be good to prevent from having to worry about a potentially malicious PDF. Various tools are around to convert a malicious file lile PDFs into regular “trusted” PDFs (said tools flattens everything making it impossible to select text or click any URIs included). I would look up the trustworthiness of some of those tools first (to not try and avoid malwares by installing one).
That was way too long of a comment but I hope it could ease some of your worries.
None of the scanners on VirusTotal picked up anything. What makes you think the PDF if malicious?
the behaviour tab, also based on this https://scan.tylabs.com/ website.
