Hacker News new | ask | show | jobs
by rogerpeters 679 days ago
I scanned it on VirusTotal, it had never been scanned before, it isn’t picking up detected sig. But, with it’s behaviour analysis it is creeping me out. Take a look at it please… I think you will agree?

That user has been posting a lot of links to pdf’s every day hosted on wordpress platforms and more. I haven’t began scanning those yet.
2 comments
walterbell 679 days ago
PDF viewed on iOS 17.6 Safari in Lockdown mode, without error.

That's a pre-pub PDF hosted by the Usenix Security 24 conference, which takes place in two weeks. If a respected 30-year old security conference is posting hostile PDFs, that would be newsworthy.

> VirusTotal behavior analysis

What did it say exactly? Just tried a VT scan and it reported a score of 0 out of 95 (green), with zero detailed findings. That was the only/first/last submission of the URL, https://www.virustotal.com/gui/url/f7259d6da00636ec8632741d3...

> That user has been posting a lot of links to pdf’s every day hosted on wordpress platforms and more

Examples, please? I posted the Usenix Security paper. A quick scan of my submissions shows no PDFs in the last two weeks, and one other PDF in the last day, hosted on HP.com.

link
Flameancer 679 days ago
I’m unfortunately not able to view on desktop since I’m traveling but I’ll have to take a look upon my return tomorrow. Seems fishy the fact it was flagged with lockdown is suspicious.
link
rogerpeters 679 days ago
Alarm bells and a half.

Looking at all the behavioural analysis on VT makes it look like malware, but considering my lockdown iOS was being weird, this PDF is making me worry that it’s some sort of cross platform malware capable of attacking both Windows and iOS - which I have never heard malware being able to do before.

I am super curious of how this PDF behaves on MacOS, Linux and Android now but it seems VT only executes it in a Windows environment.

I could be so wrong about this, but if I am not, then this would be rather serious indeed for a lot of HN users.

link
walterbell 679 days ago
> then this would be rather serious indeed for a lot of HN users

It would be even more serious for the Usenix Security conference that posted the paper!

link
rogerpeters 679 days ago
I can’t say for sure, I cannot get it to pop that same error again. I will try opening it from another iPhone with lockdown enabled later.

I wouldn’t even know where to start in looking at that PDF for some sort of iOS exploit payload, my guess is it would be extremely difficult to find (if it exists).

link
walterbell 679 days ago
For the historical record, the Usenix Security paper PDF comment currently has 28 upvotes.

There is also your non-reproducible report that the PDF was incorrectly loaded as an Apple Wallet pass, which would require a web server MIME type of:

  application/vnd.apple.pkpass
link