CVE-2019-0903 detected by just one anti-virus service

Question

On my Windows 8.1 computer I created an MS Word document containing a couple images I downloaded from the internet, and exported it as PDF. The MS Word version is 14.0.7232.5000, 64 bit. I sent that PDF to a number of recipients by email.

One email bounced with the line

MTP error from remote server for TEXT command, host: mailin.snafu.de (84.23.254.51) reason: 550 This message contains malware (Win.Exploit.CVE_2019_0903-6966169-0)

None of the other mails containing the same attachment bounced. When I scanned the attachment with virustotal.com just one of the 58 engines reported a detection, ClamAV. The detection was labeled exactly "Win.Exploit.CVE_2019_0903-6966169-0" (which may indicate that the provider uses ClamAV). On the details page one property of the file was marked as suspicious, "Contains at least one embedded file".

CVE-2019-0903 is a buffer overflow in the Windows GDI.

Question: Is this a false positive? If not, why do other engines not detect it, even though it has been public since May 15 and the CVE entry is from November 2018?

Answer 1

It seems like a false-positive; from marc.info clamav:

Our system updated today:

May 25 09:24:20 daily.cld updated (version: 25460, sigs: 1581004, f-level: 
63, builder: raynman)

(Time is BST - i.e. UTC+1)

After that we saw a large number of viruses found - all detected as Win.Exploit.CVE_2019_0903-6966169-0

This seems to be including mails without any attachments.