Zotero-6.0.5_setup.exe: Malware in pdfinfo.exe?

VirusTotal reports two security vendors flagged Zotero-6.0.5_setup.exe as possibly containing malware in its bundled pdfinfo.exe file. The two reporting vendors are BitDefenderTheta (AI:Packer.E70D8ABC1F) and Cyberreason (Malicious.9e0bd1). Anyone else seeing the same?

SHA-256 of my Firefox and Edge downloaded Zotero-6.0.5_setup.exe files:
7104E63798AA8AC27A33314C3CEBFB7B16476974ACC8F76C3B967C6B0BF300B3

https://www.virustotal.com/gui/file/7104e63798aa8ac27a33314c3cebfb7b16476974acc8f76c3b967c6b0bf300b3

Reported SHA-256 of bundled pdfinfo.exe: 3b2805c570285f442f0a537d1dbfda91dff90333641c492157ebb0798e267c73

https://www.virustotal.com/gui/file/3b2805c570285f442f0a537d1dbfda91dff90333641c492157ebb0798e267c73

  • It's a false positive. The current pdfinfo hasn't changed since the final Windows release of Zotero 5.0 last August. You can verify this by downloading the ZIPs of 5.0.96.3 and 6.0.5 (or you can download the .exes and use 7z to extract pdfinfo.exe) and run signtool remove /s from the Windows SDK on the pdfinfo.exe files, which will then be identical.
  • @dstillman -- Thanks for the prompt reply to my earlier post. You may be correct that it is a false positive, but I am not so sure. While I am no malware analyst, there are some issues that concern me. Perhaps you have sufficient visibility to answer these questions.

    1. VirusTotal reported under Behavior tab from Microsoft and Zendesk [1], that pdfinfo.exe from 5.0.96.3 connected to three IPv4 address belonging to Akamai, Amazon, and Multicast. Two of these address show up in at least two other VirusTotal malware reports [2, 3]. In addition, IPQualityScore, thru Maltego CE, ranked these addresses as high for fraud (75/100). Are connections to these IP addresses expected?
    • 16[.]152[.]214[.]23
    • 23[.]216[.]147[.]76
    • 234[.]173[.]86[.]20

    2. The pdfinfo.exe file calleds the getTickCount function thorough KERNEL32.dll. While Adobe uses this function for legitimate purposes [4], it is also used to avoid detection or for delayed functionality [5, 6]. Is getTickCount an expected function call?

    3. VirusTotal [7] stateed the first alert for pdfinfo.exe was on August 12, 2021, which was a week before the date of 5.0.96.3 folders in the Zip file. So, whatever the cause of the alert (false positive or malicious), it was present in the wild when 5.0.96.3 was compiled. If submitting pdfinfo.exe compiled before August 2021 to VirusTotal did not show same alert/behavior, that would indicate a true malicious alert from 5.0.96.3 and later, if my logic is correct. Could you provide a link to a July 2021 or earlier versions of pdfinfo.exe for submission to VirusTotal?

    4. The pdfinfo.exe file has changed (at least by one bit) between 5.0.96.3 and 6.0.5. The hash values are different. The SHA-256 hashes I get match what others have reported to VirusTotal. For 5.0.96.3, I get a SHA-256 of 029027839EC899D004AC4285BE4DD6EA4E124FC3761C37D25905F0E9A39663B1 [8]. For 6.0.5, I get 3B2805C570285F442F0A537D1DBFDA91DFF90333641C492157EBB0798E267C73 [9]. You said pdfinfo.exe had not changed, but maybe a developer made a non-functional change that changed the hash. Could a developer have changed the pdfinfo.exe file between 5.0.96.3 and 6.0.5?

    Thank you for your time and expertise. I look forward to your reply.

    References

    [1] https://www.virustotal.com/gui/file/029027839ec899d004ac4285be4dd6ea4e124fc3761c37d25905f0e9a39663b1/behavior/

    [2] https://www.virustotal.com/gui/file/259802212619473b387d6dc98ecb33840c88f33bac85a1a7af65ecd2565e5e1a/behavior/

    [3] https://www.virustotal.com/gui/file/e8590980e8f3d57e8b2fe107ef2fbce0020a2eac018a64a007817888ebf04c54/behavior/Zenbox

    [4] https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/gettickcount.html

    [5] https://attack.mitre.org/techniques/T1124/

    [6] https://attack.mitre.org/techniques/T1497/003/

    [7] https://www.virustotal.com/gui/file/029027839ec899d004ac4285be4dd6ea4e124fc3761c37d25905f0e9a39663b1/details

    [8] https://www.virustotal.com/gui/file/029027839ec899d004ac4285be4dd6ea4e124fc3761c37d25905f0e9a39663b1

    [9] https://www.virustotal.com/gui/file/3b2805c570285f442f0a537d1dbfda91dff90333641c492157ebb0798e267c73





  • You're misinterpreting these results.

    pdfinfo.exe doesn't make any network requests. As you can see from "File system actions" under [1], there's Windows Error Reporting activity being logged, and that's presumably what triggered the network requests. And you have two of the IP addresses (23.214.152.16 and 20.86.173.234) backwards — the actual connections are to 1) Microsoft and 2) Akamai. If you look up scans for other pdfinfo.exe versions, you're only going to see Microsoft and Akamai endpoints. From Microsoft:
    Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
    And they specifically list Akamai endpoints for Windows Error Reporting.
    VirusTotal [7] stateed the first alert for pdfinfo.exe was on August 12, 2021, which was a week before the date of 5.0.96.3 folders in the Zip file. So, whatever the cause of the alert (false positive or malicious), it was present in the wild when 5.0.96.3 was compiled.
    August 12, 2021 was when we built the currently used version of pdfinfo:

    $ curl -sI 'https://zotero-download.s3.amazonaws.com/pdftools/pdftools-0.0.5.tar.gz'; | grep Last-Modified
    Last-Modified: Thu, 12 Aug 2021 05:18:45 GMT


    The "First Seen In The Wild" field seems to generally just list a time that's precisely one hour after the 8/12 compilation time embedded in the file. The only exception is one scan that shows an "in-the-wild" date of December 2020, for a file we created in August 2021. This isn't a meaningful piece of data.
    The pdfinfo.exe file has changed (at least by one bit) between 5.0.96.3 and 6.0.5.
    The files are re-signed during the packaging process, so comparing hashes across versions isn't meaningful. I explained above how to strip the signature and compare the files directly. The pdfinfo.exe from 5.0.96.3 and 6.0.5 are the same. Needless to say, we have not been distributing malware to millions of people, undetected, for the last eight months.
    Could you provide a link to a July 2021 or earlier versions of pdfinfo.exe for submission to VirusTotal?
    You can see all the previous versions you want by adjusting the version in the download URL (using "win32-zip" to get the ZIP file so you don't need to use 7zip on each one):

    https://www.zotero.org/download/client/dl?channel=release&platform=win32-zip&version=6.0.5

    Versions are listed here:

    https://www.zotero.org/support/changelog

    But all it will show you is that that one scanner started flagging the version of pdfinfo.exe we built on 8/12/2021.

    Our version of pdfinfo.exe is built from this repo:

    https://github.com/zotero/cross-xpdf

    There's nothing in the compilation path other than the official Debian Jessie Docker image and the Xpdf source code. Building that from scratch (after a few updates to get it to build) results in a file that's the exact same file size as the one we built last August, with the only differences being a timestamp in the PE header and three other bytes that I'm not going to bother figuring out:

    9c9
    < 00000080 50 45 00 00 4c 01 0f 00 34 35 66 62 00 d2 13 00 |PE..L...45fb.�..|
    ---
    > 00000080 50 45 00 00 4c 01 0f 00 e9 ac 14 61 00 d2 13 00 |PE..L...�.a.�..|
    14c14
    < 000000d0 00 60 14 00 00 04 00 00 d6 46 1c 00 02 00 00 00 |.`......�F......|
    ---
    > 000000d0 00 60 14 00 00 04 00 00 3a bd 1b 00 02 00 00 00 |.`......:�......|


    I don't know why that one scanner out of 70 started flagging that version of pdfinfo.exe from last August, but it's a false positive.
  • @dstillman. Thank you again for your timely and detailed answers to my questions. You have assuaged my concerns. I now feel confident that the VirusTotal alerts were a false positive.
Sign In or Register to comment.