EvilZone

Problem
Not so much a problem as a learning experience.  I think I found malware on my Windows partition and would like to statically analysis it.

Background
I scanned my laptop a while ago, from my Linux partition using Clamav.  Clamav picked up a few malware infected files on the windows partition.  So I boot up in Windows and ran a slew of malware removal tools (Malwarebytes, JTR, etc).  Avast never picked up any malware.

Things I have tried
Then I started reading the tutorials on EZ (not because of the above).  I started with Deque's tutorials and it made me wonder. So I ran the scan again and found:

/media/Data/Python35/Scripts/smbrelayx.py: Win.Exploit.CVE_2015_0005 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 4238654
Engine version: 0.98.7
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.06 MB
Data read: 0.04 MB (ratio 1.78:1)
Time: 5.719 sec (0 m 5 s)

Ooh, I thought, lets use my mad skills (from reading only two tutorials) and crack open this puppy. But wait, I told myself, think first!  Lets see what we are dealing with here before I do anything.

So I DDG (Search) a bit and found SMB Relay Demystified and NTLMv2 Pwnage with Python. Which, after reading, I found that it was developed to do SMB Relay attacks.

I also search for info on Win.Exploit.CVE_2015_0005 and found a lot of sites reporting the same (as Vulnerability Center):

Microsoft Windows multiple versions in vulnerable to remote spoofing attack in NETLOGON due to improper establishment of a secure communications channel belonging to a different machine with a spoofed computer name.

Questions

• Is my assumption correct; that it is an intentional exploiting script and clamav is over reacting?
• Is there possibly malware embedded in this exploiting script?

Regardless, I'll first work though a few tutorials (to gain knowledge and confidence), read up more and then take a look at smbrelayx.py – if it is malware...