You are not logged in.
- Topics: Active | Unanswered
#1 2012-06-01 22:31:20
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,140
PUA.Script.PDF.OpenActionObjectwithJavascript FOUND
clamav keeps reporting the following for PDF files. Not all PDFs but a significant minority. It also says the same about some already on my machine (which it didn't mind when I first downloaded them, I don't think). Does anybody know what it means and whether it is something I should be worried about, very worried about or not at all worried about?
PUA.Script.PDF.OpenActionObjectwithJavascript FOUNDI know that "PUA" means "Possibly Unwanted Application" and obviously the next bit has something to do with javascript but I'm not quite sure what. I can't find anything on clamav's site which breaks things down this fine-grained - only brief comments on the general classes of applications which it considers PUA.
googling isn't turning up much - at least, not much of anything I understand. I found this listed on a virus scanning site which seemed to list stuff found by virus scanner and all nine results were for clamav. I'm wondering if that means it is a false positive.
It would be surprising - not impossible, of course, but very surprising - if these particular PDF files contained viruses as they are mostly journal articles from providers my library subscribes to. They are all academic papers which I wouldn't have thought was very good from a "social engineering" point of view, either.
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline
#2 2012-06-01 22:47:42
- Trilby
- Inspector Parrot
- Registered: 2011-11-29
- Posts: 29,561
- Website
Re: PUA.Script.PDF.OpenActionObjectwithJavascript FOUND
I suspect those pdf files contain an action script assigned to run when they are opened.
It is not unreasonable for AV software to flag all such scripts. It would be difficult to determine if they could actually be harmful, but since they'd have the potential to be it is letting you know.
The PDF reader you use will determine whether those scripts are ever executed. Most PDF viewers either do not recognize such scripts at all (they can't be run) or they have many safeguards against them running unintentionally. For example, xpdf will give a dialog asking whether you actually want to open a link even when you click on the link in a PDF.
As a shameless plug, you can check out Leela, the PDF Cli tool I'm working on in my website link. Leela is pretty impotent at the moment (less than a week old), but it'd be a pretty easy feature to add to have Leela extract all scripts allowing you to examine their code before you give them a chance to run. Or you could remove them from the file entirely, "sterilizing" the PDF. I should be able to have those options up and running within a week.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
#3 2012-06-03 00:23:15
- cfr
- Member
- From: Cymru
- Registered: 2011-11-27
- Posts: 7,140
Re: PUA.Script.PDF.OpenActionObjectwithJavascript FOUND
That sounds fantastic! I've been watching your thread about Leela though I have not played with it. I don't really consider myself competent to try software until other people have tested it a bit as I don't usually know enough to make sense of things.
I am always looking for new PDF tools as what's available doesn't really do what I need. Things are a bit better on OS X but not much...
CLI Paste | How To Ask Questions
Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L
Offline