When creating a pdf in LibreOffice with the "export to PDF" option, the resulting file is tagged as malicious in Google Drive. Steps to reproduce: 1. Create a new document in LibreOffice and save it as PDF. 2. Upload it to Google Drive. 3. Get a link to share the pdf with anyone. 4. Paste the link to in a browser to download the file. 5. Google Drive shows a warning message: "This file is executable and may harm your computer". This behavior is due to a string that LibreOffice inserts in the code of the pdfs. The string is /OpenAction [ 1 0 R /XYZ null null 0 ]. It would be nice to have this /OpenAction disabled by default. In this post there is an analysis of a pdf created this way with LibreOffice: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/21?u=eugenioh In this other post there is a workaround: https://ask.libreoffice.org/t/google-drive-says-pdfs-created-with-libreoffice-are-executable-files/91094/25?u=eugenioh
Perhaps I wrongly read the links provided but the pb here is Google not LO. I mean /OpenAction is ok here and doesn't do anything malicious.
It is important to use the correct wording. Google does not tag the files as "malicious files". It detects a code in the PDF which executes an *arbitrary* action *automatically* when the PDF is opened, and then informs the user about that fact, telling literally this: > Google Drive can't scan this file for viruses. > This file is executable and may harm your computer. This same warning would appear for *any* executable file, and does not *claim* that the file is malicious, but warns that it executes something, and they don't know what. This is reproducible. And it is unclear, why the *automatic action* is necessary for the *default* case, when all that we want is to show the very first page (using the default scale). So, this issue could be fixed by making the code that adds the action conditional - not executing in case when the very first page is shown with default settings. The code is https://opengrok.libreoffice.org/xref/core/vcl/source/gdi/pdfwriter_impl.cxx?r=7ea34aa6#5305 and the condition could be simply 'm_aContext.InitialPage > 0'. A separate improvement could be, if the dialog shown some infobar in case of other settings, which would add the action - to inform the user that "this PDF will include an OpenAction command, and can be flagged as executable by some programs".
See also: https://medium.com/coreshield/malware-analysis-dissecting-pdf-file-a95a0ffa0dce
This happened to me when I was using CAC signature. It's the first time and version 7.4.6.2 happens to do it consistently. Italian certified email (PEC) stops messages with these attachments as well. VirusTotal says: "The sandbox DOCGuard flags this file as: GREYWARE"
Neil Fachin committed a patch related to this issue. It has been pushed to "master": https://git.libreoffice.org/core/commit/54b6ed66901d9dc25e8f1636aca08fb9f3d8b5c6 tdf#155419 tdf#156477 PDF Export: emitCatalog fixes for OpenAction It will be available in 26.2.0. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.
Neil Fachin committed a patch related to this issue. It has been pushed to "libreoffice-25-8": https://git.libreoffice.org/core/commit/e12a65c151db69f93b8d26202d17ee3a9ddae063 tdf#155419 tdf#156477 PDF Export: emitCatalog fixes for OpenAction It will be available in 25.8.1. The patch should be included in the daily builds available at https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More information about daily builds can be found at: https://wiki.documentfoundation.org/Testing_Daily_Builds Affected users are encouraged to test the fix and report feedback.