[clamav-users] FP: Win.Trojan.Agent-1696554 is md5sum of 2240 null bytes
d.shrimpton at its.uq.edu.au
Tue Sep 27 05:26:57 EDT 2016
On Tue, 27 Sep 2016, Al Varnell wrote:
> The signature is based on a 2240 byte file, so it is probably something embedded in the PDF.
Yes, the 2240 null byte file pdf51 is extracted by clamav from the pdf. --leave-temps and --debug
can be used to show this and to obtain the file.
(sha256 sum is in the virustotal url not md5sum).
The md5sum and sha256sum of the original malware are unknown. I don't have the malware
only a file with a FP on the broken signature , that may or may not also contain malware
or be the original malware.
The clamav hdb signature is independent of file type and would match any 2240 null byte
file not just a file extracted from a pdf.
Incidently clamav debug shows the file
as stream 68 0 , but stream 68 does not extract to a 2240 null byte file with pdf-parser.py.
Uploading the null byte file to fp would make sense. But anyone can create the file themselves.
Uploading the pdf to fp might not make sense as is unknown if it contains malware or not.
The pdf scans negative except for clamav on virustotal, but could still contain malware.
Note the filename is not the same as original.
Is the original malware sample for which the signature was intended still available
and does it have the above sha256sum ?
More information about the clamav-users