[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes

David Shrimpton d.shrimpton at its.uq.edu.au
Tue Sep 27 05:26:57 EDT 2016


On Tue, 27 Sep 2016, Al Varnell wrote:

> The signature is based on a 2240 byte file, so it is probably something embedded in the PDF.

Yes,  the 2240 null byte file pdf51 is extracted by clamav from the pdf.  --leave-temps and --debug
can be used to show this and to obtain the file. 


md5sum pdf51
013167adb9fbc93923f9c0789599ec95  pdf51

sha256sum pdf51
2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230  pdf51

(sha256 sum is in the virustotal url not md5sum).

The md5sum and sha256sum of the original malware are unknown.   I don't have the malware
only a file with a FP on the broken signature , that may or may not also contain malware
or be the original malware.

The clamav hdb signature is independent of file type and would match any 2240 null byte
file not just a file extracted from  a pdf.

Incidently clamav debug shows the file
as stream 68 0 , but stream 68 does not extract to a 2240 null byte file with pdf-parser.py.

Uploading the null byte file to fp would make sense.   But anyone can create the file themselves.

Uploading the pdf to fp might  not make sense as is unknown if it contains malware or not. 
The pdf scans negative except for clamav on virustotal, but could still contain malware.

https://virustotal.com/en/file/13f14263e8268626e7a7f42e10dab99b87007cf6f2a29affd46f2cafa2ecb607/analysis/

Note the filename is not the same as original.

sha256sum Deal.pdf
13f14263e8268626e7a7f42e10dab99b87007cf6f2a29affd46f2cafa2ecb607  Deal.pdf

Is the original malware sample for which the signature was intended still available
and does it have the above sha256sum ?


--

David Shrimpton



More information about the clamav-users mailing list