Hello!

Long time reader, first time caller : )

The Issue In Brief :

Automatically-generated PDF’s of Wikipedia articles ( presumably a SAFE site ) are suddenly being regularly flagged by Norton 360 as containing Phishing Malware. Is this realistic, or could it be a false positive…?

The Issue In Detail :

For many years now, we have at times downloaded articles as .pdf’s from Wikipedia,
via that website’s “Tools > Download as .PDF” option
(which is available at the Top-Right corner of any article page at that site.)

Here are two examples :

articles :

https:// en.wikipedia .org/wiki/Knight_Bachelor
https:// en.wikipedia .org/wiki/Braess’s_paradox

while their respective ‘pdf download’ pages are at :

https:// en.wikipedia .org/w/index.php?title=Special:DownloadAsPdf&page=Knight_Bachelor&action=show-download-screen
https:// en.wikipedia .org/w/index.php?title=Special:DownloadAsPdf&page=Braess%27s_paradox&action=show-download-screen

(tech note : two blank spaces have been added to each of the above url’s to avoid them turning into hyperlinks, in case it causes problems to this post - remove the spaces to go to the relevant pages)

Lately, MANY such downloaded articles have begun to be flagged as

[L] PDF:MalwareX-gen [Phish] (0)

by Norton 360 scans

(current version : 26.2.10802, with latest definitions, etc…
but we have noted this problem in ALL earlier versions going back at least 6 months now.)

Such files are flagged during scans IF they have been downloaded on another computer,
and are then copied to the machine which has Norton installed on it ;

OR,

if a download attempt is made ON the Norton machine itself,
then one of (at least) two things will happen :

a) the download is aborted and the file cannot be downloaded at all
(see screenshot 1 with notes below)

or :

b) the downloading file is sent to quarantine,
and the event log then describes the file as having been “repaired” (?)
(see screenshot 2 with notes below)

Such .PDF download attempts always get flagged from certain Wikipedia articles,
(even after the articles themselves periodically get altered by editors within Wikipedia itself),
while pdf’s from other articles never seem to get flagged.

We are unsure how a legitimate website such as Wikipedia can be flagged for creating phishing pdf’s…?

Our initial thought was that perhaps certain hyperlinks within them are being regarded as dangerous…
but this is almost certainly NOT the case, because whenever we use the browser’s basic :

Right-Click > ‘Print as PDF’ option

in order to simply have the browser itself create a direct .pdf of the same article
(which creates a resultant file containing essentially the SAME INFORMATION as the downloaded one : namely SAME text + SAME images + SAME hyperlink references, etc…),

Norton does NOT flag these ‘printed’ .pdf’s as containing any threats…(!?)
(see screenshot 3 with notes below)

We know that we can upload the problematic files to support .norton .com
however what we would first like to ask is if other Community Members,
and especially the Norton Administrators here,
could attempt this for themselves with the two articles which we have noted at the top of this post, i.e. if you can test the issue ‘first-hand’, as it were,
and see if any of you are getting the same results :

Since this is happening both during downloading AND with imported files from other machines
(ie with different article versions AND different Norton versions over a period of several months),
this suggests to us that the problem may not be isolated to our OS configuration,
but that it is a wider issue.

Thank you for now, and we will be watching this thread for hopefully any developments!

Kind Regards,

NN

Screen Shots :

Screen_Shots1920×2714 294 KB

-

fwiw ~ as test:
Download as PDF → Download

image522×683 32.4 KB

==========================

fwiw ~ as test: Norton 360 Safe Web disabled

image1152×738 54.2 KB

Threat name: PDF:MalwareX-gen [Phish]
Threat type: Phishing - This is a scam designed to steal sensitive information like your credit card number, banking credentials, or passwords.
Status: Moved to Quarantine
Options: Report false detection
Detected by: Auto-Protect
On PC from: 3/8/26,
Last Used: 3/8/26,
Startup Item: No
Unknown
It is unknown how many users in the Norton Community have used this file.
Unknown
The file release is currently unknown
High
The file risk is high.
Origin
Downloaded from: https://en.wikipedia.org/api/rest_v1/page/pdf/Knight_Bachelor
Activity
Path | Type | Status
C:\User\user\ChromeHSDP\user\current\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_0093d7 | File | Repaired

image1169×790 109 KB

image1167×785 49.4 KB

Hello, BJM !
Thank you so much for your prompt personal test of the issue & for your reply : )

I’m glad to see confirmation that the issue is repeatable
and that it is not simply a glitch in our own system configuration!

(It is also strange that hitting ‘more info’ in the detailed results
also shows a ‘safe’ result at safeweb .norton .com,
which can be seen in our original screenshots 1 + 2 above)

(and, we personally clicked on ‘report false positive’ in the norton GUI for the first time earlier today, so are also waiting to see if that will have any effect…)

nn

image616×332 90 KB

The Norton Safe Web portal reports on the reputation of the entire URL you submit, including its specific parameters, but it uses the base domain’s history to inform that rating.

For the specific Wikipedia URL provided, here is how the portal handles it:

• Granular Analysis: When you enter the full URL into the Norton Submission Portal, Norton evaluates the safety of that specific request (in this case, a PDF download trigger).
• Domain-Wide Reputation: Because the URL belongs to wikipedia.org, a high-reputation domain, the portal will primarily report the “Safe” rating associated with the parent site.
• Parameter Awareness: The portal’s AI content analysis examines the “text, code, images, and other hidden elements” triggered by those specific URL parameters (like action=show-download-screen) to ensure the download itself isn’t a masked threat.
• Community Watch Data: If other users have reported that specific “Knight Bachelor” PDF link as containing a “drive-by download” or malicious script, the portal will flag that specific URL even if the rest of Wikipedia remains marked as safe.

Summary of Scope

https://www.virustotal.com/gui/file/c7a3e303053da76437a300cc1f80b9d8cbe969eb460f0fd86b71478804cb81c9

image1254×197 22.3 KB

image1753×181 23 KB

https://submit.norton.com/
https://en.wikipedia.org/w/index.php?title=Special:DownloadAsPdf&page=Knight_Bachelor&action=show-download-screen
1821d13962da /2026-03-08T15:18:35.891Z
4001155532ac /2026-03-08T15:28:28.847Z

image1024×181 13.9 KB

ok, I didn’t know that - thank you for the elucidation.

Regarding your testing at Virus Total… that didn’t occur to us. It is interesting though that only 3 vendors flag this as problematic (and in fact is that not really only two, since don’t Norton and Avast use the same (or at least similar) databases now?)

Thank you for submitting the file(s) to Norton Support - I expect the technical team there will look into the issue more robustly since an experienced Administrator like yourself is submitting it !

I hope their analysis answers the question of what Norton is finding in the downloaded .pdf’s that it is NOT finding in the locally-created .pdf’s of the same articles.

(I’m wondering if Wikipedia is somehow “EXIF-watermarking” (??) the pdf files in a way that is not pleasing to norton/avast.. or if they could be actually entering some sort of real problematic code in them, albeit unintentionally.)

Once they analyse the files - and if it is indeed a false positive - do you think is the fix likely to apply to all similar Wikipedia articles and their generated pdf files… or would it need to be submitted on a case by case basis?

Thank you again for your time and effort, and we will be watching this thread : )

NN

Norton™ is part of Gen™ - a global company with a family of consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner.

p.s.
on a separate note - I notice that you had to take a physical photo of the screen with regards to the initial informational pop-up in your 1st reply, above.

now, you probably already know this and likely have this setting as “on” intentionally, BUT in case you don’t, I’ll be glad to help you out (at least a little!) like you’re helping me :

I myself recently discovered the following setting in the Norton GUI :

Settings > Notifications > Hide Pop-Ups From Screen Captures

The default setting for this seems to be ‘ON’, hence why you need to go to the extra trouble of taking an external photo of the screen and then uploading it to back the computer.

Toggle this to ‘off’, and hopefully you’ll be able to save yourself some time and effort every time you want to screen-shot a norton pop-up notification : )

Thanks!

image561×422 22.3 KB

image561×759 45.7 KB

9d041eca40b2/2026-03-08T17:55:48.232Z

glad I could be of help : D

image422×381 88.1 KB

image687×119 47.3 KB

==========================================

image422×656 74.9 KB

Threat name: PDF:MalwareX-gen [Phish]
Threat type: Phishing - This is a scam designed to steal sensitive information like your credit card number, banking credentials, or passwords.
Status: Aborted
Detected by: Safe Web
Origin
Downloaded from: https://en.wikipedia.org/api/rest_v1/page/pdf/Knight_Bachelor
Activity
Path | Type | Status
https://en.wikipedia.org/api/rest_v1/page/pdf/Knight_Bachelor | URL | Blocked

image687×119 47.3 KB

==========================================

fwiw ~ as test: Create exclusion & restore + Disable Auto-Protect
File: Knight_Bachelor.pdf
File size: 210 KB (214,620 bytes)
MD5 checksum: 09457C58692EEC1EB6BA13091109AA7A
SHA1 checksum: 9C5D0DEB08D6003C4AB7B559981F742BC1F3F682
SHA256 checksum: FD079D8A5D8CFDF0001BF502A4237576961F6E9E329E9CB60B1D928DD3A5B701
Date/Time: 3/9/2026

image1743×745 75.6 KB

==============================

PDF:MalwareX-gen [Phish] is a generic detection name used primarily by Avast, AVG, and Norton antivirus software to flag PDF files that exhibit characteristics of phishing or malicious behavior.

Key Details

• Meaning of the Label:
  • PDF: The detection is targeting a PDF file or an executable file (.exe) disguised with a PDF icon.
  • MalwareX-gen: Indicates a generic threat identified through heuristic analysis (pattern-based detection) rather than a specific, known virus signature.
  • [Phish]: Confirms the primary threat is phishing, where the file likely contains malicious links designed to steal credentials or personal information.
• Common Behaviors:
  • Credential Theft: The PDF may contain links to fake login pages (e.g., for Outlook, Microsoft 365, or banks).
  • Social Engineering: It often uses urgent language, such as fake invoices or security alerts, to trick users into clicking.
  • Malicious Payloads: Some versions may prompt users to download “updates” or enable macros, which then installs actual malware like trojans or ransomware.

False Positives
It is common for this detection to be a false positive. Legitimate PDFs from sources like Wikipedia or automated receipts can sometimes trigger this heuristic because they contain numerous external links that the antivirus deems suspicious.

Recommended Actions
Do Not Click Links: If you have opened the PDF, do not click any links or buttons inside it.
Verify with VirusTotal: Upload the file to the VirusTotal website to see if other antivirus engines also flag it as malicious.
Quarantine and Scan: Allow your antivirus to quarantine the file and run a full system scan using a different tool, such as Malwarebytes, to ensure no other threats are present.
Check the Sender: If the file arrived via email, verify the sender’s address for typos or mismatches with the official domain.

============================

Can a PDF have a virus? Yes, here’s how to protect yourself here

============================

image1907×5395 706 KB

============================

image1918×6262 375 KB

Hello @nn123
Care to share your progress

Hello again, @bjm !

First of all, I would like to apologize for the enormous delay since my last post - a couple of days after my last comment, some inept council workers knocked out some sort of central switch that left a whole bunch of people in our vicinity without internet for over three weeks. We finally got reconnected up earlier this week, and I have spent the last few days catching up on backed-up emails. I realize how ludicrous this sounds in the 21st century, but I guess that’s what happens when you have incompetent local officials and corporate-minded “customer service” personnel at your ISP, who don’t actually care about the individual people who use their services. Hopefully the new connections will be fine for now.

So again, I just want to stress that I had NOT simply ignored this thread, as the problem I raised nearly a month ago now is quite important to me (and, I assume, to many other people who download pdf’s off the internet and specifically off Wikipedia). I would like to thank you for your patience, and hope that you will be willing to return to this discussion when you have the time, until we hopefully find a resolution!

I will take a minute to acquaint myself with new developments on the current issue, and I just noticed that you have linked me an old discussion on this topic, namely
https:// community.norton .com/t/pdf-phishingx-gen/247945
Thank you for that!
NN

Hello @nn123

image240×113 7.35 KB

image704×194 31.7 KB

fwiw ~ at this time…my Norton 360 does not detect Knight_Bachelor.pdf

Hello again, @bjm!
I hope you have been well : )

I have to say, I spent some time yesterday doing quite a bit of testing around and I also noticed that, after having updated to the latest definitions, several of the articles that were initially being flagged, are now being seen as fine by N360 - eg, also the “Braess’s paradox” article that I linked to in my initial post, as well as a few others.

In essence, what I have done is :

• I have once again attempted to download some of these articles as wikipedia-generated .pdf files, and they seem to be downloading fine ;

• I have then tested these files via norton targeted scans, and these also seem to be showing no threats ;

• I have opened these files in my pdf reader, and again, they seem to be opening fine and nothing is being flagged as suspicious.

• I have only not yet re-scanned the actual older files (a few dozen in total) that were originally downloaded to a different machine, which were then being flagged as malicious after being transferred to the system with norton installed on it - I will test them within the next couple of days and post an update here once I do that.

Now that basically a month has passed since this thread was begun, it seems that the issue has been at least partly sorted, and may even (hopefully!) have been fully sorted… fingers crossed, pending further testing! (hopefully it was a single issue that was causing the false positives in all the files)

By the way, @bjm , I would like to ask whether you ever received any personal reply from the norton technicians with respect to the files and url’s that you initially submitted for analysis last month ?

NN

Hello @nn123
fwiw ~ my understanding:

• Lack of Confirmation: The current Norton Submission Portal does not send automated confirmation or status update emails, even when an email address is provided.

• ID-Less Submissions: The new platform (specifically for Norton v24 and newer) does not generate a visible tracking number upon submission, making it impossible to check status manually.

• Norton has acknowledged in Community forums that they currently lack a feedback loop to inform users of results, though they have expressed plans to implement one in the future.

• If the review determines the detection was indeed a false positive, Norton typically releases updated virus definitions to address it within 48 hours without specifically notifying the submitter.

================================

Note: the current version of the Norton Submission Portal for Norton v24 and newer has removed the tracking number (Request ID) from the process.

Note: Safe Web File Dispute form https://safeweb.norton.com/file_dispute still generates a Request ID (Check Status), unlike the newer “Norton 24 and newer” portal https://submit.norton.com/ which has phased them out.

image479×248 56 KB

Caveat: it’s been a while since I’ve used the Safe Web File Dispute form

@bjm You’re using OPSWAT MetaDefender? Curious.

SA

hello again, @bjm!

Thank you for the elucidation : ) I expected that there would be no personal reply,
but I guess the fact that these files are not being flagged any more shows that the issue has been looked into.

Now,

I did a bit of testing around these past couple of days and found some interesting (and somewhat inconclusive) results, namely that :

• With 6 April updates (ie 2 days ago) :
  Out of the 32 wiki-downloaded files
  that were being flagged as “malware-x-gen-phish” last month,
  30 are now being seen as fine, while 2 are still being flagged as malicious.

Interestingly, the 30 now ‘clean’ files
were all downloaded from wikipedia AFTER mid-January of this year,
while the two that are STILL being flagged were both downloaded in June of last year.

Even more strangely, of these latter two files from June
(I went through my scan & quarantine histories) :

• in August of last year :
  ONE of them (call it ‘file-1’) was the ONLY file that was flagged & quarantined back then,
  while the OTHER one (‘file-2’) initially tested as ‘clean’ in that same scan,
  and only came up as malicious earlier this year…!? ;

• With 9 March updates (ie as of last month, immediately prior to the current thread)
  AND with 6 April updates (ie as of 2 days ago) :
  BOTH files were testing as ‘malicious’ ;

• With 8 April updates (ie today) :
  File-1 (the ORIGINAL ‘malicious’ file) is now finally testing as clean,
  while File-2 (which was originally testing as clean) is now the only file out of all 32
  that is still testing as malicious…!?

(note that both wikipedia articles
are currently able to download fine and are not being intercepted -
ie it is only the originally-downloaded pdf versions of these 2 articles
from several months ago that are/were problematic.)

I cannot understand what the actual problem is, nor what the reasons are for what is happening,
nor why the problem is only being caused AND fixed in stages like this…

All I can say is that I hope that the crux of the problem
has been noted by norton technicians and sorted,
and that therefore this issue will not be periodically
raised again in future with further wiki-downloaded files…

with respect to these two links,

it seems that the second one redirects to the first in any case : )

(although I cannot see where the Request ID is generated - the ‘Check Status’ button asks for the user to enter such an ID, rather than providing one…)

Anyway, as far as I can see, the Norton GUI itself has a :

• “Report False Detection” button in the “Threat Secured” pop-up window
  which comes up as a threat is intercepted, as well as a

• “Send For Analysis” button in the quarantine list
  (when you hover over a file in the list, a three-dots icon
  appears at the right side, leading to a drop-down menu)

both variants lead to the same place : namely a further window where the file is automatically pre-attached, with radio buttons for whether the user wants to submit (what they think is) a false positive or a false negative, and a space for adding free text notes on the issue.

I guess this option is even easier (and safer) than going through the website and uploading the file, albeit a .zip/.rar, since the user would need to disable their AV in order to create the archive in the first place!

p.s.

submitted that one final file through the gui. hopefully it will give some greater elucidation to norton technicians on this wider issue, due to being so much more ‘insidious’ than the others!