Dan,

You can use sigtool:

#sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool --decode-sigs

Looks like a cmap definition so a definition of character sets to Unicode.

Could definitely be a false positive, send samples to https://www.clamav.net/reports/fp

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Dan Jaap via clamav-users
Sent: Friday, September 10, 2021 12:31 PM
To: clamav-users@lists.clamav.net
Cc: Dan Jaap <djaap@flclerks.com>
Subject: [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0

Can someone explain what the classification “Pdf.Phishing.CWS4c384287-9890237-0” means? I assume it has something to do with a link found in a document. However, we’ve had several of these lately and I can’t see anything wrong with the documents. We’re using clamav with OPSWAT Metadefender, integrated into a Web site. Each document that is uploaded is scanned by the platform and clamav is the only engine finding problems with the documents in question. I have already submitted a sample document as a false positive, but have not heard back yet. I was hoping to get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0” means.

Here are some details for our clamav environment:

VERSION

0.102.4-810

DATABASE VERSION

1631145600

DEFINITION UPDATES

Up to date (up to date )