Note: Please do not post Personally Identifiable Information like email address, personal phone number, physical home address, product key etc.
Issue abstract: Norton keeps identifying “PDF:MalwareX-gen [Fake] threats when opening MS Outlook
Detailed description: For the past week I noticed that whenever I open Outlook, Norton keeps identifying these threats. Each time I quarantine and delete the files. And yet, they keep coming back. The file names are slightly different but the file path is the same: “Users/XXXXX/Library/Containers/com.microsoft.Outlook/Data/tmp/Outlook Temp/Q7GX3QN4C9[6fm7].pdf”. If Outlook is closed, the folder is no longer viewable. through Finder…b/c it’s a temporary folder?
When I use Apple’s built-in Mail app, Norton doesn’t detect any threats even though both Mail has the same Google, MS Exchange, Outlook .com accounts as Outlook. So I’m not sure why the threats are detected when using Outlook but not Mail.
Regardless, I would like assistance to make sure my Mac is not infected with malware and if it is, how to remove it because it doesn’t appear that Norton is doing so (which raises the question of why it’s not detecting the threat when using Mail?).
Product & version number: Norton 360. 25.9.0
OS details: Sequoia 15.6.1
What is the error message you are seeing? “Threat blocked”
If you have any supporting screenshots, please add them:
AI Overview PDF:MalwareX-gen[Fake] is a security alert indicating a generic, heuristically-detected malicious file disguised as a PDF. The [Fake] tag may be added by an antivirus program to explicitly state that the file is not a legitimate PDF but a forged one intended to trick users.
Here’s a breakdown of the components: PDF: The malicious file is disguised as a PDF document to appear legitimate. Attackers often use social engineering, such as emails appearing to come from a bank or utility company, to convince a victim to open the fake file. MalwareX-gen: This is a generic detection name used by some antivirus software, such as Avast, AVG, and Norton. Malware: The file contains malicious software. -gen: The suffix “-gen” indicates that the threat was identified by a generic or heuristic analysis, meaning it was detected based on suspicious behavior or patterns rather than a specific, known virus signature. [Fake]: This label confirms that the file is not a genuine PDF but a deceptive lure. The executable may be an .exe or other file type masquerading with a PDF icon to trick users into running the malware.
How the scam works Distribution: The fake PDF is typically sent via email or hosted on fraudulent websites. Deception: When the victim opens the “PDF,” an error message might appear, claiming an update is needed to view the document. Infection: By clicking to run the “update,” the victim unknowingly launches the malware on their system. Malicious Activity: Once executed, the malware can perform actions like:
Scanning and exfiltrating sensitive personal data.
Deploying additional threats like ransomware.
Installing keyloggers to steal credentials.
Giving remote access to the attacker.
What to do if you encounter a fake PDF Disconnect: If you have opened a suspicious PDF, immediately disconnect your device from the internet to prevent the malware from communicating with its command and control server. Scan: Run a full system scan with your antivirus software. If a generic detection was already made, update your software and perform another scan. Change passwords: Change passwords for any important accounts, especially if you think your credentials may have been compromised. Delete the file: Do not attempt to open the file again. Delete it from your system completely.
I’ll try to find messages in the email accounts that contain pdf files and were received in the last 2 weeks (which is when Norton started detecting these files). I assume if I use the web to access my email (Google, Outlook.com, and Office.com) and delete/purge any such messages that Outlook on my MBP will synchronize and they’ll be removed from archive and trash folders.
I am curious about why the threats don’t show up when I use Mail.
If Norton still shows a threat, I’ll move on to Malwarebytes and report back.
I went to the websites for my 7 personal email accounts and deleted any file with any attachment in Sept/Oct 2025. As I suspected, there were only a handful and they were known. Deleted them and then deleted them from trash folders.
Next I made sure the Norton Quarantine was empty and then opened Outlook. Norton instantly found 3 different .pdfs that it said were malware threats. I moved them to quarantine.
I then closed Outlook and reopened it. Same thing but this time Norton identified 2 of the 3 previously identified threats.
Repeated the process of closing/opening Outlook and Norton again identified the same 2 of the 3 previously identified threats.
Deleted all of the identified threats from Quarantine at this point. Verified that Quarantine was empty. Closed Outlook. Reopend Outlook and Norton identified the same 2 .pdfs as threats.
At this point I’ll move on to try Malwarebytes later today and will report back.
Before trying Malwarebytes I thought I should contact Norton. After 3 hours on the chat with escalations from Level 1 to Level 2, I was told it may be a false-positive and that Norton would contact me after Level 3 folks look into the issue.
I’m not sure it’s a false positive because the Level 1 person was able to restore a .pdf to my desktop. We did not of course, open it however I used the preview feature….its a false invoice from McAfee dated Oct 2nd. This despite the fact that the email address appearing in the document didn’t have any messages in Spam nor Inboxes today (I checked using Google’s website).
At this point I’m baffled and worried. Limiting my use only to post on this forum and Malwarebyte’s forum to ask questions in case I have to use it.
Question: if it’s malware and Norton nor Malwarebytes can remove it, can I reformat the drive and only replace my documents? In other words, do fresh install of apps, including Outlook and then have Outlook (and Mail) retrieve files from my email providers? Or will the files pop up? If so, perhaps I add one account at a time to see which account is “infected”? I’m baffled why files keep coming up even though there are no “corresponding” messages on the email servers.
All: Two things I noted from the MBAM forums that MAY be relevant.
1 - User never stated they are running Norton Utilities on the system, that could be a part of the issue.
2 - User has never said they are also running a VM, which COULD be a source of the issue as well.
Just something I noted that has not been discussed here thus far.
I’m a bit confused re: "user never stated that they are running Norton Utilities on the system”. I came to this forum and said Norton keeps identifying threats when opening MS Outlook. I’m running Norton 360 25.9.0 as I said in my first post. Pls help me understand what you meant by “that could be a part of the issue”.
With respect to Fusion, which runs my VM, Norton is set to exclude the VM folder on the MBP from all scans (on the advice of long-time Fusion owners). I do have Norton running on the Windows VM when it’s running and that has not detected any threats at all. Hope that helps.
In the meantime, I’m awaiting help from the Malwarebyte Help Desk and Norton support.
Norton Utilities is a separate software suite totally different from Norton Antivirus software.
Regarding the VM, is that where MS Outlook is running from? That was never clarified here. If these detections are coming from Outlook installed within the VM and, Norton isn’t detecting anything that is the issue.
I came to this forum and said Norton keeps identifying threats when opening MS Outlook.
Just two things noted from the other forums posts that weren’t included here that may or may not be related, I’m one to explore all avenues and start from the inside out.
Sorry about the confusion re: Norton Utilities. I’m running Norton Antivirus on my MacBook Pro. (Wasn’t aware that Norton Utilities has a Mac version.)
No, MS Outlook is running from my MacBook Pro. Don’t have MS Outlook running at all in the VM. Norton Utilities for Windows is installed in the VM however it hasn’t detected any threats within the VM.
This has really got me stumped. I’m a very careful Internet user…don’t visit suspect sites, etc. Have good email habits (i.e., never open an unexpected file, etc.). On top of which, I’ve deleted the few mails with attachments I received in September and October. And unknown emails didn’t show up in Spam/Junk folder on either my MBP nor the servers of my email providers.
My primary help is Norton. While I await their reply, I was following the advice elsewhere on this forum to try Malwarebyte. I simply posted a few questions on their site before even trying to use their software. I was told to open a ticket so that they could answer my questions. I’m expecting that the Norton team, which dowloaded all support logs and submitted the suspect files to themselves for inspection, will come back in a few days with some type of answer.
@pacoinmass Thanks for the post back and clarification. We’re just trying to help in a way that goes inside out though myself and bjm are not MAC users. Do you synch Outlook, ALL accounts? I’m wondering if that may be confusing Norton that something is still present.
Thanks for your help. I synch 6 email accounts (3 Gmail and 3 Outllook/Office) in Outlook and the same 6 plus a Yahoo account in Apple’s email app, Mail.
In the beginning Norton detected the threat only when opening MS Outlook (even after quarantining and deleting the threats). Once or twice it has detected them in Mail but not with the consistency as in Outlook.
I managed to isolate two .pdfs and used the preview feature to look at them. Both were “McAfee invoices” which is nonsense because I’e never used that program. I deleted the files permanently, fans a full scan and no threats.
I then deleted the two Gmail accounts I saw in the invoices, opened Outlook and Mail and no threats. I added one back and no threat when opening Outlook nor Mail. Added the 2nd Gmail accounts in and Norton identified threats in Outlook and Mail. So I deleted that account, ran a full scan and Norton didn’t detect any virus.
You’re welcome as always, and thanks for posting back that detailed info, it goes a very long way with getting to a possible solution. YOUR scenario is unique with the VM, the VM gets isolated and your MAC gets hit.
Those messages with the pdf files in them are being sent to anyone and everyone. I get them as well from time to time, although I too have never used a McAfee product. That is the way scammers and hackers get into your system, some, do it with zero click methods of all things. The message just has to be delivered to an active email and the sender, prays that the receiver has message preview pane enable and that alone. Will allow the contents of the message to deploy. Norton catches mine and I have not ever had anything reappear afterwards. DISABLE preview pane view if you have it enabled is my suggestion.
@SoulAsylum, sorry for the delay in responding. I’m not sure why my scenario is unique because I’m running a VM. My VM is closed most of the time and Norton running on the Windows 11 VM has not detected any threats within Windows. I also don’t use the VM to access my email accounts…I only use Apple’s Mail program and MS Outlook for Mac.
In any case, Malwarebytes didn’t detect any threats. Malwarebytes support did contact me via email to help me install a version of Malwarebytes to scan the entire drive. Norton hasn’t detected any threats the past three weeks.
Still find it weird that Norton detected .pdf files, I was able to view them using Preview, but the underlying emails were not to be found in either Apple’s Mail program nor MS Outlook for Mac. And the emails were not to be found on the web server when I went to Google and logged in to my accounts. Checked the inboxes and junk folders in all places.
Unfortunately, Norton support never reached out as they had promised.
Not sure where that leaves me. On the one hand, a search for the files on my MBP comes up empty. On the other hand, still can’t account for the strange case of email attachments with no underlying emails.
Thanks for the post back, and update with assistance from Malwarebytes and Norton. Just to recap a bit, Are you still seeing the alerts for infected pdf files in your mail? I assume you aren’t based on your last reply but just clarifying all the same.
What is your version of MS Outlook for MAC? The latest version of Outlook for Mac is 16.102.2.
