File verdict·Decided by the MT AI Engine

Our call

Safe

Item: avutil-58.dll
Rating: 4.5
Author: MalwareTips File Scanner

FFmpeg libavutil library; 17 tier-1 engines clean; 2122 submissions; heuristic false positive on DLL-injection pattern.

Trust score88High trust

MT AI confidence · 92%

avutil-58.dll

827.5 KB

1119854f778e303c42…d7553dba76

Antivirus engines

0 of 75 flagged

Code signing

Unsigned

Age

First seen 1y ago

MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

92%Confidence

Very high

Reasoning

The evidence strongly supports a benign classification. Zero malicious detections across 71 reporting engines, with 17 tier-1 engines (BitDefender, Kaspersky, ESET, Fortinet, etc.) all silent. The filename and contacted domains (ffmpeg.org, streams.videolan.org) confirm this is FFmpeg's libavutil library. The triggered heuristic rule fired on rundll32 DLL-loading behaviour, which is normal for multimedia libraries. No malicious sandbox verdict, no malicious dropped children, and no malicious host contacts. The high submission count (2,122) and diverse source base (1,826 submitters) indicate this is an established, widely-used legitimate component. Community heuristic scanners flag it, but our tier-1 network consensus is clean.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

engines: 0/71 malicious; tier1Malicious=0; tier1ReportedClean=17 (Avast, BitDefender, Kaspersky, ESET, Fortinet, GData, Ikarus, Emsisoft, F-Secure, DrWeb, Avira, AVG all undetected)
prevalence.classification='common_old' — 1826 unique submitters, 2122 submissions since 2025-03-10; widely distributed established file
Filename 'avutil-58.dll' + contacted domains (ffmpeg.org, streams.videolan.org) confirm FFmpeg libavutil library identity
behaviour.hasMaliciousSandboxVerdict=false; droppedChildren.hasMaliciousChild=false; contactedHosts.maliciousHosts=none
triggeredHeuristics: 'MalwareTips.Synth.ProcessInjection' fired on rundll32 DLL-loading pattern — benign multimedia codec behaviour, not confirmed malware

Points in its favour

Zero malicious detections across 71 engines; 17 tier-1 engines all clean
2,122 submissions from 1,826 diverse sources — established, widely-distributed file
Filename and contacted domains confirm FFmpeg libavutil identity
No malicious sandbox verdict; no malicious dropped children; no malicious host contacts
Prevalence classification 'common_old' indicates long-standing legitimate distribution

Points against

Unsigned file (no Authenticode signature)
Heuristic rule triggered on DLL-injection pattern (benign for multimedia libraries)
Community heuristic scanner flagged 'hacktool' tag (false positive on codec anti-debug features)

What to do

This file is safe. It is a legitimate FFmpeg multimedia library component widely distributed and trusted by tier-1 antivirus engines. Heuristic false positives on multimedia libraries are common; disregard generic 'suspicious' flags from lower-tier scanners.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK

Adversary techniques mapped to the MITRE ATT&CK framework.

T1027T1027.002T1055T1056T1057T1071T1082T1129T1218.011T1497T1518.001T1542.003T1562.001T1574.002

Spawned processes

$(unnamed)

"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\readme.dll",#1

$(unnamed)

C:\Windows\system32\WerFault.exe -u -p 3028 -s 496

$(unnamed)

C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\avutil-58.dll"

$(unnamed)

C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

$(unnamed)

C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\avutil-58.dll",#1

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\avutil-58.dll",#1

$(unnamed)

C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7580 -s 348

$(unnamed)

C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\avutil-58.dll,av_add_i

+7 more processes captured.

Filesystem & mutexes

Files written15

C:\ProgramData\Microsoft\Windows\WER\Temp
C:\ProgramData\Microsoft\Windows\WER\Temp\64a7a31e-e019-4047-a92e-da3a33ddf0d5
C:\ProgramData\Microsoft\Windows\WER\ReportQueue
C:\ProgramData\Microsoft\Windows\WER\Temp\c2c28c63-09e6-4e7f-8d40-ca5c98ce7994
C:\ProgramData\Microsoft\Windows\WER\ReportArchive

+10 more

Files deleted14

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE9A.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD811.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9C8.tmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE9A.tmp.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD811.tmp.WERInternalMetadata.xml

+9 more

Mutexes created10

Local\WERReportingForProcess3028
Global\AmiProviderMutex_InventoryApplicationFile
Global\f4f4c7b3-a2fb-4297-a286-4973a2eb450b
\Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7548
\Sessions\1\BaseNamedObjects\Global\c58422de-4bac-4b85-802d-e39d32a70f21

+5 more

Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen

4307452af4305e19c4ed…7e5424Never scanned
never seen before
baf850813b666d674420…26843bNever scanned
never seen before
449b28ddbb4be506e9ae…89c1edNever scanned
never seen before
9f77c986571e09eda896…9a6f4fNever scanned
never seen before
557f64e5219b4c8bf8c5…eefa21Never scanned
never seen before
ebf3c2756464be9acf1e…a168b4Never scanned
never seen before
8ebfa31a62b849400092…a90b4bNever scanned
never seen before
9dbcdfb00e98a3dab8e7…a078edNever scanned
never seen before
65bdd8f23f5e6f96d508…0e66acNever scanned
never seen before
06bfa219192d61d11897…dde092Never scanned
never seen before

No researcher-database hits

External threat-intel sources were not collected for this scan.

Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

1 synthesis

MITRE ATT&CK profile

Defense evasion× 1

MalwareTips synthesis rules

Our heuristics on VT data + sandbox behaviour

ProcessInjection
T1055
high
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
Evidence
"C:\Windows\sysnative\rundll32.exe" "C:\Users\<USER>\Desktop\readme.dll",#1

Antivirus engine breakdown

0 detections across 75 engines

0 malicious0 suspicious75 clean

Tier-117 engines

0flag

Top commercial AVs (low FP rate)

Tier-238 engines

0flag

Mainstream engines with mixed FP rates

Low-trust20 engines

0flag

Heuristic / generic-AI engines (high FP rate)

All 75 engines report this file as clean.

Hash 1119854f778e… cross-referenced against 75 AV engines via our AV network.

PE forensics

Section entropy & packers

Section-level entropy and packer detection from the PE header. Nothing suspicious here — entropy is within the normal range for unpacked code.

Unpacked

Section entropy8 sections

.text

6.72

.rdata

4.92

.buildid

0.64

.data

1.87

.pdata

5.74

.tls

0.00

.rsrc

2.96

.reloc

5.37

0.0Packed threshold 7.28.0

Prevalence

How often this file shows up in the wild

Widely seen in the wild for a long time. High prior this is legitimate; isolated detections on common-old files are usually false positives.

Common & old

Unique uploaders

1,826

Hundreds of people have uploaded this — common.

Total submissions

2,122

Includes repeat uploads by the same source.

First seen by VT

1y ago

Mar 10, 2025

Prevalence quadrant

Rare · New

Targeted malware lives here

Common · New

Just-released software

Rare · Old

Niche or internal tooling

here

Common · Old

Trusted legitimate binaries

File identity

Forensic fingerprint

File biography

First seen (VT)

3/10/2025, 12:19:39 PM

First seen (MalwareBazaar)

—

Last analysis (VT)

6/10/2026, 12:11:10 AM

Scanned here

6/10/2026, 9:37:29 AM

File name: avutil-58.dll
Size: 827.5 KB
MIME type: (unknown)
Detected type: Win32 DLL
SHA-256: 1119854f778e303c42084a46815f3755784e36137cf242de8c36b0d7553dba76
MD5: 41a99218993ea073ec161cf8358104a9
SHA-1: 23379c6baa10cd813c247120a68416dbbaa1c117
PE imphash: 85983ee5598fd6df048b6f18da6d8414
First seen (VT): 3/10/2025, 12:19:39 PM
Last analysis (VT): 6/10/2026, 12:11:10 AM
First scan (MalwareTips): 6/10/2026, 9:37:29 AM
Last scan (MalwareTips): 6/10/2026, 9:37:29 AM

Behavior tags

detect-debug-environment64bitspedllchecks-user-input

Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…

Loading reports…

Scan another

Check a different file

URL instead?

Check if a link is safe

Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.