Virus detected by gmail

[carlotnx]

About a month ago Gmail start to identify as virus (Trojan-Downloader.PDF.Agent) a simple, text-only, pdf generated with tcdpf. Here's an example: https://www.dropbox.com/scl/fi/2fvtc997ikfs54pdtb5wf/1697016419.pdf?rlkey=eiq8lllpjhhvj3sdyp00n3ymk&dl=1

Every other antivrus does not detect problems: https://www.virustotal.com/gui/file/9dc330bd4168777409219ac83d44427a1e0a30c4c8baabb15d95c959827cf0c0?nocache=1

I've wrote in gmail comunity but they locked the discussion whitout any reply: https://support.google.com/mail/thread/238697355/virus-trojan-downloader-pdf-agent-rilevato-su-file-pdf

We use this file for contracts sent by email and I had to temporary switch to another library, any hint?

[williamdes]

Can you paste the code to generate the pdf please?

[carlotnx]

define ('K_PATH_IMAGES', getcwd().'/_files/immagini/');
require_once('tcpdf/tcpdf_import.php');
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);
$pdf->SetCreator(PDF_CREATOR);
$pdf->SetAuthor('xxx');
$pdf->SetTitle('Contratto');
$pdf->SetHeaderData("logo_contratto_pdf.jpg", 16, 'Contratto', 'Riferimento: xxx');
$pdf->setHeaderFont(Array(PDF_FONT_NAME_MAIN, '', 8));
$pdf->setFooterFont(Array(PDF_FONT_NAME_MAIN, '', 8));
$pdf->SetDefaultMonospacedFont(PDF_FONT_MONOSPACED);
$pdf->SetMargins(PDF_MARGIN_LEFT, PDF_MARGIN_TOP, PDF_MARGIN_RIGHT);
$pdf->SetHeaderMargin(PDF_MARGIN_HEADER);
$pdf->SetFooterMargin(PDF_MARGIN_FOOTER);
$pdf->SetAutoPageBreak(TRUE, PDF_MARGIN_BOTTOM);
$pdf->setImageScale(PDF_IMAGE_SCALE_RATIO);
$pdf->AddPage();
$pdf->writeHTML($contratto, true, false, true, false, '');

[littlepackage]

I'm curious what other library you switched to. Also, I'm curious the content of $contratto. Can you fill us in with some more detail?

Sometimes these malware scanners are tipped off by strings they find in content. Lately I'm finding that English strings coincidentally found inside words in other languages trigger scans (e.g. **demonaco triggers warnings for "demon" when it's only trying to say ** de Monaco). Have you tried alternate HeaderData and $contratto data to see if that triggers the warning? Also, check the image / try a different image, as it's possible it might be harboring something.

Ultimately this seems likely to be more of an issue with your PDF content and environment, than the PDF creator (TCPDF), since you're the only one here reporting this. Make sense?

[carlotnx]

The library I switched to is WkHtmlToPdf, that works in a completly different way (it acts as a browser and convert the html page). It's not a problem with header data, I have already removed the SetHeaderData for the file attached in first post.

Seems not a problem with the string content, I did futher tests and seems that the virus is detected when a second page is generated, look at this examples that differs only for one character:

VIRUS DETECTED: https://www.dropbox.com/scl/fi/9vpgyf298wo9ohy0h7wn6/Virus-9868a.pdf?rlkey=8uv4ncnsm3hr0iclzp0pgzl3x&dl=1

NO VIRUS: https://www.dropbox.com/scl/fi/9f3d9ky2f6y72cde9o1xz/Novirus-9867a.pdf?rlkey=i5vdni7dbnceh04ic851gmrhw&dl=1

[carlotnx]

Any hint?

[carlotnx]

Issue still present...can't use this libray anymore for document to be sent via email...