On Tue, 27 Sep 2016, Al Varnell wrote: > The signature is based on a 2240 byte file, so it is probably something > embedded in the PDF.
Yes, the 2240 null byte file pdf51 is extracted by clamav from the pdf. --leave-temps and --debug can be used to show this and to obtain the file. md5sum pdf51 013167adb9fbc93923f9c0789599ec95 pdf51 sha256sum pdf51 2f7eaacf490839d9c603736149286272aea4df46c0daf58f0c70062041c68230 pdf51 (sha256 sum is in the virustotal url not md5sum). The md5sum and sha256sum of the original malware are unknown. I don't have the malware only a file with a FP on the broken signature , that may or may not also contain malware or be the original malware. The clamav hdb signature is independent of file type and would match any 2240 null byte file not just a file extracted from a pdf. Incidently clamav debug shows the file as stream 68 0 , but stream 68 does not extract to a 2240 null byte file with pdf-parser.py. Uploading the null byte file to fp would make sense. But anyone can create the file themselves. Uploading the pdf to fp might not make sense as is unknown if it contains malware or not. The pdf scans negative except for clamav on virustotal, but could still contain malware. https://virustotal.com/en/file/13f14263e8268626e7a7f42e10dab99b87007cf6f2a29affd46f2cafa2ecb607/analysis/ Note the filename is not the same as original. sha256sum Deal.pdf 13f14263e8268626e7a7f42e10dab99b87007cf6f2a29affd46f2cafa2ecb607 Deal.pdf Is the original malware sample for which the signature was intended still available and does it have the above sha256sum ? -- David Shrimpton _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
