Our version of pdfinfo.exe is built from this repo: You can see all the previous versions you want by adjusting the version in the download URL (using "win32-zip" to get the ZIP file so you don't need to use 7zip on each one):īut all it will show you is that that one scanner started flagging the version of pdfinfo.exe we built on. I look forward to your reply.Ĭould you provide a link to a July 2021 or earlier versions of pdfinfo.exe for submission to VirusTotal? Could a developer have changed the pdfinfo.exe file between 5.0.96.3 and 6.0.5? You said pdfinfo.exe had not changed, but maybe a developer made a non-functional change that changed the hash. The SHA-256 hashes I get match what others have reported to VirusTotal. The pdfinfo.exe file has changed (at least by one bit) between 5.0.96.3 and 6.0.5. Could you provide a link to a July 2021 or earlier versions of pdfinfo.exe for submission to VirusTotal?Ĥ. If submitting pdfinfo.exe compiled before August 2021 to VirusTotal did not show same alert/behavior, that would indicate a true malicious alert from 5.0.96.3 and later, if my logic is correct. So, whatever the cause of the alert (false positive or malicious), it was present in the wild when 5.0.96.3 was compiled. VirusTotal stateed the first alert for pdfinfo.exe was on August 12, 2021, which was a week before the date of 5.0.96.3 folders in the Zip file. Is getTickCount an expected function call?ģ. While Adobe uses this function for legitimate purposes, it is also used to avoid detection or for delayed functionality. The pdfinfo.exe file calleds the getTickCount function thorough KERNE元2.dll. Are connections to these IP addresses expected?Ģ. In addition, IPQualityScore, thru Maltego CE, ranked these addresses as high for fraud (75/100). Two of these address show up in at least two other VirusTotal malware reports. VirusTotal reported under Behavior tab from Microsoft and Zendesk, that pdfinfo.exe from 5.0.96.3 connected to three IPv4 address belonging to Akamai, Amazon, and Multicast. Perhaps you have sufficient visibility to answer these questions.ġ. While I am no malware analyst, there are some issues that concern me. You may be correct that it is a false positive, but I am not so sure. Thanks for the prompt reply to my earlier post.
0 Comments
Leave a Reply. |