Trojan:W32/FakePDF

Classification

Category :

Malware

Type :

Trojan

Aliases :

Trojan.PDF.Agent.[variant], Trojan.PDF.Scam.[variant], Trojan:W32/FakePDF.[variant]

Summary

Trojan:W32/FakePDF is distributed via fraudulent spam email attachments; once it has infected a system, the trojan downloads additional files onto the affected machine.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/FakePDF is distributed via a PDF file attached to fraudulent spam email messages. The email is designed to appear to be from the DHL courier company, and contains authentic-looking delivery information:

Trojan:PDF/Agent.T spam email message

The email claims that the attached file is a notification for a failed delivery, a classic social engineering trick often used to lure users into downloading and running the attachment.

The PDF file attached to the email comes with an embedded, clickable link. If the user opens the PDF file and clicks the link, a webpage is opened, offering a ZIP file for download:

Trojan:PDF/Agent.T's malicious file offered for download

The ZIP file contains the malware; If the user downloads and opens the ZIP file, Trojan:W32/FakePDF infects the system.

On infection, the malware first injects code into the explorer.exe process to hide its own running process, then changes the registry to ensure it runs itself automatically at each system startup by modifying the following registry key:

  • HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
    • o Value set: 4af7bcefe324c81b43f1f65ef5df0c33.exe

While the malware is running on the infected machine, it downloads other malicious files from a remote server into the following folder:

  • C:\Documents and Settings\Administrator\Local Settings\Application Data

More

DHL itself has published an article on Fraud Awareness and Prevention related to misuse of the DHL brand in spam emails:

Note

The details above were previously published using the detection name, Trojan.PDF.Agent.T. Following subsequent changes to the detection logic for this malware, the detection was issued a new name and this description was updated and renamed for greater clarity.