[clamav-users] PUA.Win.Trojan.EmbeddedPDF-1 false-positives

[Alex]

Hi,

We're seeing a large number of false-positives with the above rule. Is
it particularly prone to false-positives? Would someone explain how it
works?

What's perhaps even more strange is that scanning the email again (or
the files within the email) don't produce the same false-positives.

Was there a period where this pattern had a problem and has now been corrected?