Skip Navigation

Threat indicators

Each category represents an area that has been frequently seen in malicious software.

Anomalies

These indicators represent situations where the file has elements that are inconsistent or nomalous in some way. Frequently these are inconsistencies in structural elements in the file.
Indicator
Description
16bitSubsystem
The file utilizes the 16-bit subsystem. Malware uses this to exist in a less secure and less monitored part of the operating system, and frequently to perform privilege escalation attacks.
Anachronism
This PE appears to be lying about when it was written, which is atypical for professionally written software.
AppendedData
This PE has some extra content appended to it, beyond the normal areas of the file. Appended data can frequently be used to embed malicious code or data, and is frequently overlooked by protection systems.
AutoitDbgPrivilege
The AutoIt script is capable of performing debug activities.
AutoitManyDllCalls
The AutoIt script uses many external DLL calls. The AutoIt runtime already has many common functions, therefore using additional functionality from external DLLs may be a sign of maliciousness.
AutoitMutex
The AutoIt script creates synchronization objects. This is often used by malware to prevent multiple infections of the same target.
AutoitProcessCarving
The AutoIt script is likely performing process carving to run its own code that appears to come from another process. This is often done to hinder detection.
AutoitProcessInjection
The AutoIt script is likely performing process injection to run code in other processes' context possibly to stay undetected or to steal data.
AutoitRegWrite
The AutoIt script writes into the
Windows
registry.
Base64Alphabet
The file contains evidence of usage of Base64 encoding of an alphabet. Malware does this to attempt to avoid common detection, or to attack other programs using Base64 encoding.
CommandlineArgsImport
The file imports functions that can be used to read arguments from a command line. Malware uses this to collect information on subsequent runs.
ComplexMultipleFilters
The file contains multiple streams with multiple filters.
ComplexObfuscatedEncoding
The file  contains an anomalously high number of obfuscated names.
ComplexUnsupportedVersion
EmbeddedFiles
The file uses EmbeddedFiles features from newer versions of the PDF standard than the file declares.
ComplexUnsupportedVersionFlate
The file uses the FlateDecode feature from newer versions of the PDF standard than the file declares.
ComplexUnsupportedVersionJbig2
The file uses the JBIG2Decode feature from newer versions of the PDF standard than the file declares.
ComplexUnsupportedVersionJs
The file uses
JavaScript
features from newer versions of the PDF standard than the file declares.
ComplexUnsupportedVersionXFA
The file uses XFA features from newer versions of the PDF standard than the file declares.
ComplexUnsupportedVersionXobject
The file uses XOBject features from newer versions of the PDF standard than the file declares.
ContainsFlash
The file contains flash objects.
ContainsPE
The file contains embedded executable files.
ContainsU3D
The file contains U3D objects.
InvalidCodePageUsed
The file uses an invalid or unrecognized locale, possibly to avoid detection.
InvalidData
The file metadata is obviously bogus or corrupt.
InvalidStructure
The file structure is not valid. The sizes, metadata, or internal sector allocation table is wrong, which may indicate an exploit.
ManifestMismatch
The file demonstrates an inconsistency in its manifest. Malware does this to avoid detection, but rarely covers its tracks deeply.
NontrivialDLLEP
This PE is a DLL with a nontrivial entry point. This is common among DLLs, but a malicious DLL may use its entry point to take up residence in a process.
NullValuesInStrings
Some strings within the file contain null characters in the middle.
PDFParserArraysContainsNullCount
The file contains an anomalously high number of null values in arrays.
PDFParserArraysHeterogeneous
Count
The file contains an anomalously high number of arrays containing different types of elements.
PDFParserMailtoURICount
The file contains an anomalously high number of email links (mailto:).
PDFParserMinPageCount
The file has an unusual structure of page objects, such as a high number of child-page objects per node.
PDFParserNamesPoundName
MaxLength
The file may attempt to obfuscate its contents by using long encoded strings.
PDFParserNamesPoundName
MinLength
The file contains an anomalously high minimum length of an escaped name.
PDFParserNamesPoundName
TotalLength
The file may attempt to obfuscate its contents by storing much of its content in encoded strings.
PDFParserNamesPoundName
UpperCount
The file contains an anomalously high number of names escaped with uppercase hexadecimal characters.
PDFParserNamesPoundName
ValidCount
The file contains an anomalously high number of valid escaped names.
PDFParserNamesPoundPerName
MaxCount
The file contains an anomalously high maximum number of escaped characters per single name.
PDFParserNamesPound
UnnecessaryCount
The file contains an anomalously high number of unnecessarily escaped names.
PDFParserNumbersLeading
DigitTallies8
The file contains an anomalously high number of numbers that start with 8 in decimal representation.
PDFParserNumbersPlusCount
The file contains an anomalously high number of numbers with explicit plus sign.
PDFParserNumbersRealMax
RawLength
The file contains an anomalously high maximum length of a real number.
PDFParserPageCounts
The file contains an anomalously high number of child-page objects.
PDFParserPageObjectCount
The file contains an anomalously high number of page objects.
PDFParserSizeEOF
The file contains an anomalously long end-of-file sequence(s).
PDFParserStringsHexLowerCount
The file contains an anomalously high number of strings escaped with lowercase hexadecimal digits.
PDFParserStringsLiteralString
MaxLength
The file contains an anomalously high maximum length of a literal string.
PDFParserStringsOctalZero
PaddedCount
The file contains an anomalously high number of octal escaped characters in strings that are unnecessarily zero-padded.
PDFParserTrailerSpread
The file contains an anomalously large spread between trailer objects.
PDFParserWhitespaceComment
MaxLength
The file contains an anomalously high maximum length for a comment.
PDFParserWhitespaceComment
MinLength
The file contains unusual short comments that are not used by reader software.
PDFParserWhitespaceComment
TotalLength
The file contains an unusually large amount of commented-out data.
PDFParserWhitespaceEOL0ACount
The file contains an anomalously high number of short end-of-line characters.
PDFParserWhitespaceWhitespace
00Count
The file contains an anomalously high number of zero-bytes used as whitespace.
PDFParserWhitespaceWhitespace
09Count
The file contains an anomalously high number of 09 bytes used as whitespace.
PDFParserWhitespaceWhitespace
LongestRun
The file contains an anomalously long whitespace area.
PDFParserWhitespaceWhitespace
TotalLength
The file contains an anomalously high number of whitespaces.
PDFParseru3DObjectsNames
AllNames
The file contains an anomalously high number of U3D objects.
PossibleBAT
The file contains evidence of having a standard
Windows
batch file included. Malware does this to avoid common scanning techniques and to provide persistence.
PossibleDinkumware
The file shows evidence of including some components from DinkumWare. Dinkumware is frequently used in various malware components.
PropertyImpropriety
The file contains suspicious OOXML properties.
RaiseExceptionImports
The file imports functions used to raise exceptions within a program. Malware does this to implement tactics that make standard dynamic code analysis difficult to follow.
ReservedFieldsViolation
The file violates the specification in terms of the use of reserved fields.
ResourceAnomaly
The file contains an anomaly in the resource section. Malware frequently contains malformed or other odd bits in the resource section of a DLL.
RWXSection
This PE may contain modifiable code, which is at best unorthodox and at worst symptomatic of a virus infection. Frequently, this feature implies that the file has been built using something other than a standard compiler, or has been modified after it was originally built.
SectorMalfeasance
The file contains structural oddities with OLE sector allocation.
StringInvalid
One of the references to a string in a string table pointed to a negative offset.
StringTableNotTerminated
A string table was not terminated with a null byte. This could cause a fault at runtime due to a string that does not end.
StringTruncated
One of the references to a string in a string table pointed to a location after the end of a file.
SuspiciousPDataSection
This PE is hiding something in its "pdata" area, but it is not clear what it is. The "pdata" area in a PE file is generally used for process runtime structures, but this particular file contains something else.
SuspiciousRelocSection
This PE is hiding something in its "relocations" area, but it is not clear what it is. The "relocations" area in a PE file is generally used for relocating particular symbols, but this particular file contains something else.
SuspiciousDirectoryNames
The file contains OLE directory names associated with badness.
SuspiciousDirectoryStructure
The file has oddities in the OLE directory structure.
SuspiciousEmbedding
The file uses suspicious embedding of OLE.
SuspiciousVBA
The file contains suspicious VBA code.
SuspiciousVBALib
The file shows suspicious VBA library usage.
SuspiciousVBANames
The file contains suspicious names associated with VBA structures.
SuspiciousVBAVersion
The file contains suspicious VBA versioning.
SWFOddity
The file contains certain questionable usages of embedded SWF.
TooMalformedToProcess
The file is so malformed that it could not be parsed completely.
VersionAnomaly
The file has issues with how it presents its version information. Malware does this to avoid detection.

Collection

These indicators represent situations where the file has elements that indicate capabilities or evidence of collecting data. This can include the enumeration of system configuration or collection of specific sensitive information.
Indicator
Description
BrowserInfoTheft
The file contains evidence of an intent to read passwords stored in browser caches. Malware uses this to collect the passwords for exfiltration.
CredentialProvider
The file contains evidence of interaction with a credential provider, or the desire to appear as one. Malware does this because credential providers get access to many types of sensitive data, such as usernames and passwords, and by acting as one, they may be able to subvert the authentication integrity.
CurrentUserInfoImports
The file imports functions that are used to gather information about the currently logged-in user. Malware uses this to determine paths of action to escalate privileges and to better tailor attacks.
DebugStringImports
The file imports functions that are used to output debug strings. Typically, this is disabled in production software, but left on in malware that is being tested.
DiskInfoImports
The file imports functions that can be used to gather details about volumes on the system. Malware uses this in conjunction with listing to determine facts about the volumes in preparation for a further attack.
EnumerateFileImports
The file imports functions that are used to list files. Malware uses this to look for sensitive data, or to find further points of attack.
EnumerateModuleImports
The file imports functions that can be used to list all of the DLLs that a running process uses. Malware uses this capability to locate and target specific libraries for loading into a process, and to map out a process it wishes to inject into.
EnumerateNetwork
The file demonstrates evidence of a capability to attempt to enumerate connected networks and network adapters. Malware will do this to determine where a target system lies in relation to others, and to look for possible lateral paths.
EnumerateProcessImports
The file imports functions that can be used to list all of the running processes on a system. Malware used this capability to locate processes to inject into or those that it wishes to delete.
EnumerateVolumeImports
The file imports functions that can be used to list the volumes on the system. Malware uses this to find all of the areas it might need to search for data, or to spread an infection.
GinaImports
The file imports functions that are used to access Gina. Malware does this to attempt to breach the secure ctrl-alt-delete password entry system or other network login functions.
HostnameSearchImports
The file imports functions that are used to gather information about host names on the network and the host name of the machine itself. Malware uses this capability to better target further attacks or scan for new targets.
KeystrokeLogImports
The file imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as passwords.
OSInfoImports
The file imports functions that are used to gather information about the current operating system. Malware uses this to determine how to better tailor further attacks and to report information back to a controller.
PossibleKeylogger
The file contains evidence of key-logger type activity. Malware uses keyloggers to collect sensitive information from the keyboard.
PossiblePasswords
The file has evidence of including common passwords, or a structure that would enable brute forcing common passwords. Malware uses this to attempt to penetrate a network further by accessing other resources via password.
ProcessorInfoWMI
The file imports functions that can be used to determine details about the processor. Malware uses this to tailor attacks and exfiltrate this data to common command-and-control infrastructure.
RDPUsage
The file shows evidence of interacting with the Remote Desktop Protocol (RDP). Malware frequently uses this to move laterally and to offer direct command-and-control functionality.
SpyString
The file is possibly spying on the clipboard or user actions via accessibility API usage.
SystemDirImports
The file imports functions used to locate the system directory. Malware does this to find where many of the installed system binaries are located, as it frequently hides among them.
UserEnvInfoImports
The file imports functions that are used to gather information about the environment of the current logged-in user. Malware uses this to determine details about the logged-in user and look for other intelligence that can be gleaned from the environment variables.

Data loss

These indicators represent situations where the file has elements that indicate capabilities or evidence of exfiltration of data. This can include outgoing network connections, evidence of acting as a browser, or other network communications.
Indicator
Description
AbnormalNetworkActivity
The file implements a non-standard method of networking. Malware does this to avoid detection of more common networking approaches.
BrowserPluginString
The file has the capability to enumerate or install browser plugins.
ContainsBrowserString
The file contains evidence of attempting to create a custom UserAgent string. Malware frequently uses common UserAgent strings to avoid detection in outgoing requests.
DownloadFileImports
The file imports functions that can be used to download files to the system. Malware uses this as both a way to further stage an attack and to exfiltrate data via the outbound URL.
FirewallModifyImports
The file imports functions used to modify the local
Windows
firewall. Malware uses this to open holes and avoid detection.
HTTPCustomHeaders
The file contains evidence of the creation of other custom HTTP headers. Malware does this to facilitate interactions with command-and-control infrastructures and to avoid detection.
IRCCommands
The file contains evidence of interaction with an IRC server. Malware commonly uses IRC to facilitate a command-and-control infrastructure.
MemoryExfiltrationImports
The file imports functions that can be used to read memory from a running process. Malware uses this to determine proper places to insert itself, or to extract useful information from the memory of a running process, such as passwords, credit cards, or other sensitive information.
NetworkOutboundImports
The file imports functions that can be used to send data out to the network or the general Internet. Malware uses this as a method for exfiltration of data or as a method for command and control.
PipeUsage
The file imports functions that allow the manipulation of named pipes. Malware uses this as a method of communication and of data exfiltration.
RPCUsage
The file imports functions that allow it to interact with Remote Procedure Call (RPC) infrastructure. Malware uses this to spread, or to send data to remote systems for exfiltration.

Deception

These indicators represent situations where the file has elements that indicate capabilities or evidence of a file attempting to be deceptive. Deception can come in the form of hidden sections, inclusion of code to avoid detection, or indications that it is labeled improperly in metadata or other sections.
Indicator
Description
AddedHeader
The file contains an additional, obfuscated PE header that may be a hidden malicious payload.
AddedKernel32
The file contains an additional, obfuscated reference to kernel32.dll, a library that may be used by malicious payload.
AddedMscoree
The file contains an additional, obfuscated reference to mscoree.dll, a library that may be used by malicious payload.
AddedMsvbvm
The file contains an additional, obfuscated reference to msvbvm, a library that may be used by malicious payload compiled for
Microsoft Visual Basic
6.
AntiVM
The file demonstrates features that can be used to determine if the process is running in a virtual machine. Malware does this to avoid running in virtualized sandboxes that are becoming more common.
AutoitDownloadExecute
The AutoIt script can download and execute files. This is often done to deliver additional malicious payloads.
AutoitObfuscationStringConcat
The AutoIt script is likely obfuscated with string concatenation. This is often done to avoid detection of whole, suspicious commands.
AutoitShellcodeCalling
The AutoIt script uses the CallWindowProc()
Windows
API function that may indicate the injection of shellcode.
AutoitUseResources
The AutoIt script uses data from resources stored alongside the script. Malware often stores important parts of itself as resource data and unpacks them in runtime, and therefore this looks suspicious.
CabinentUsage
The file shows evidence of containing a CAB file. Malware does this to package sensitive components in a way that many detection systems cannot see.
ClearKernel32
The file contains a reference to kernel32.dll, a library that may be used by a malicious payload.
ClearMscoree
The file contains a reference to mscoree.dll, a library that may be used by a malicious payload.
ClearMsvbvm
The file contains a reference to msvbvm.dll, a library that may be used by malicious payload compiled for
Microsoft Visual Basic
6.
ComplexInvalidVersion
The file declares the wrong PDF version.
ComplexJsStenographySuspected
The file may contain
JavaScript
code hidden in literal strings.
ContainsEmbeddedDocument
The file contains a document embedded inside the object. Malware can use this to spread an attack to multiple sources or to otherwise hide its true form.
CryptoKeys
The file contains evidence of having an embedded cryptographic key. Malware does this to avoid detection and perhaps as authentication with remote services.
DebugCheckImports
The file imports functions that would allow it to act like a debugger. Malware uses this capability to read and write from other processes.
EmbeddedPE
The PE has additional PEs within it, which is usually only the case with software installation programs. Frequently malware embeds a PE file that it then drops to disk and executes. This technique is often used to avoid protection scanners by packaging binaries in a format that the underlying scanning technology does not understand.
EncodedDosStub1
The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.
EncodedDosStub2
The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.
EncodedPE
The PE has additional PEs hidden within it, which is extremely suspicious. It is similar to the EmbeddedPE indicator, but uses an encoding scheme to attempt to further hide the binary inside the object.
ExecuteDLL
The PE contains evidence of the capability to execute a DLL using common methods. Malware does this as a method to avoid common detection practices.
FakeMicrosoft
The PE claims to be written by
Microsoft
, but it does not look like a
Microsoft
PE. Malware commonly masquerades as
Microsoft
PEs in order to look inconspicuous.
HiddenMachO
The file has another MachO executable file within, which is not properly declared. This may be an attempt to hide the payload from being easily detected.
HTTPCustomUserAgent
The file contains evidence of manipulation of the browser UserAgent. Malware does this to facilitate interactions with command-and-control and to avoid detection.
InjectProcessImports
The PE can inject code into other processes. This capability frequently implies that a process is attempting to be deceptive or hostile in some way.
InvisibleEXE
The PE appears to run invisibly, but it is not a background service. It might be designed to remain hidden.
JSTokensSuspicious
The file contains unusually suspicious
JavaScript
.
MSCertStore
The file shows evidence of interacting with the core
Windows
certificate store. Malware does this to collect credentials and to insert rogue keys into the stream to facilitate actions such as man-in-the-middle attacks.
MSCryptoImports
The file imports functions to use the core
Windows
cryptography library. Malware will use this to leverage the locally installed cryptography so it does not need to carry around its own cryptography.
PDFParserDotDotSlash1URICount
The file may attempt path traversal using relative paths such as "../".
PDFParserJavaScriptMagicseval~28
The file may contain obfuscated
JavaScript
or can run dynamically loaded
JavaScript
with eval().
PDFParserJavaScriptMagic
sunescape~28
The file may contain obfuscated
JavaScript
.
PDFParserjsObjectsLength
The file contains an anomalously high number of individual
JavaScript
scripts.
PDFParserJSStreamCount
The file contains an unusually high number of
JavaScript
-related streams.
PDFParserJSTokenCounts0
cumulativesum
The file contains an anomalously high number of
JavaScript
tokens.
PDFParserJSTokenCounts1
cumulativesum
The file contains an anomalously high number of
JavaScript
tokens.
PDFParserNamesAllNames
Suspicious
The file contains an anomalously high number of suspicious names.
PDFParserNamesObfuscatedNames
Suspicious
The file contains an anomalously high number of obfuscated names.
PDFParserPEDetections
The file contains embedded PE file(s).
PDFParserSwfObjectsxObservationsx
SWFObjectsversion
The file contains an SWF object with an unusual version number.
PDFParserSwfObjectsxObservation
sxSWFObjectsxZLibcmfSWFObjectsx
ZLibcmf
The file contains an SWF object with unusual compression parameters.
PDFParserswfObjectsxObservations
xSWFObjectsxZLibflg
The file contains an SWF object with unusual compression flag parameters.
PE_ClearDosStub1
The file contains a DOS stub, indicative of PE file inclusion.
PE_ClearDosStub2
The file contains a DOS stub, indicative of PE file inclusion.
PE_ClearHeader
The file contains PE file header data that does not belong in the file structure.
PEinAppendedSpace
The file contains a PE file that does not belong in the file structure.
PEinFreeSpace
The file contains a PE file that does not belong in the file structure.
ProtectionExamination
The file seems to be looking for common protection systems. Malware does this to initiate an anti-protection action tailored to that installed on the system.
SegmentSuspiciousName
A segment has either an invalid string as a name or an unusual non-standard name. This may indicate post-compilation tampering or use of packers or obfuscators.
SegmentSuspiciousSize
The segment size is significantly different from the size of all content sections within. This may indicate the use of an unreferenced area or the reservation of space for runtime unpacking of malicious code.
SelfExtraction
The file seems to be a self-extracting archive. Malware frequently uses this tactic to obfuscate their true intentions.
ServiceDLL
The file seems to be a service DLL. Service DLL’s are loaded in the svchost.exe process and are a common persistence methodology for malware.
StringJsSplitting
The file contains suspicious JS tokens.
SWFinAppendedSpace
The file contains a Shockwave flash object that does not belong in the document structure.
TempFileImports
The file imports functions used to access and manipulate temporary files. Malware does this because temporary files tend to avoid detection.
UsesCompression
The file seems to have portions of the code that appear to be compressed. Malware uses these techniques to avoid detection.
VirtualProtectImports
The file imports functions that are used to modify the memory of a running process. Malware does this to inject itself into running processes.
XoredHeader
The file contains an xor-obfuscated PE header that may be a hidden malicious payload.
XoredKernel32
The file contains an xor-obfuscated reference to kernel32.dll, a library that may be used by a malicious payload.
XoredMscoree
The file contains an xor-obfuscated reference to mscoree.dll, a library that may be used by a malicious payload.
XoredMsvbvm
The file contains an xor-obfuscated reference to msvbvm.dll, a library that may be used by a malicious payload compiled for
Microsoft Visual Basic
6.

Destruction

These indicators represent situations where the file has elements that indicate capabilities or evidence of destruction. Destructive capabilities include the ability to delete system resources like files or directories.
Indicator
Description
action_writeByte
The VBA script within the document is likely writing bytes to a file, which is an unusual action for a legitimate document.
action_hexToBin
The VBA script within the file is likely using hexadecimal-to-binary conversion that may indicate decoding a hidden malicious payload.
appended_URI
The file contains a link that does not belong in the file structure.
appended_exploit
The file contains suspicious data outside of the file structure that may be indicative of an exploit.
appended_macro
The file contains a macro script that does not belong in the file structure.
appended_90_nopsled
The file contains a nop-sled that does not belong in the file structure; this is almost certainly there to facilitate exploitation.
AutorunsPersistence
The file attempts to interact with common methods of persistence (for example, startup scripts). Malware commonly uses these tactics to attain persistence.
DestructionString
The file has capabilities to kill processes or shut down the machine via shell commands.
FileDirDeleteImports
The PE imports functions that can be used to delete files or directories. Malware uses this to break systems and cover its tracks.
JsHeapSpray
The file likely contains heap spray code.
PossibleLocker
The file demonstrates evidence of a desire to lock out common tools by policy. Malware will do this to retain persistence and make detection and cleanup more difficult.
RegistryManipulation
The file imports functions that are used to manipulate the
Windows
registry. Malware does this to attain persistence, avoid detection, and for many other reasons.
SeBackupPrivilege
The PE might attempt to read files to which it has not been granted access. The SeBackup privilege allows access to files without honoring access controls. It is frequently used by programs that handle backups and is frequently limited to administrative users, but it can be used maliciously to gain access to specific elements that might otherwise be difficult to access.
SeDebugPrivilege
The PE might attempt to tamper with system processes. The SeDebug Privilege is used to access processes other than your own and is frequently limited to administrative users. It is often paired with reading and writing to other processes.
SeRestorePrivilege
The PE might attempt to change or delete files to which it has not been granted access. The SeRestore privilege allows writing without consideration of access control.
ServiceControlImports
The file imports functions that can control
Windows
services on the current system. Malware uses this either to launch itself into the background via installing as a service, or to disable other services that may have a protective function.
SkylinedHeapSpray
The file contains an unmodified version of skylined heap spray code.
SpawnProcessImports
The PE imports functions that can be used to spawn another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet.
StringJsExploit
The file contains
JavaScript
code that is likely capable of exploitation.
StringJsObfuscation
The file contains
JavaScript
obfuscation tokens.
TerminateProcessImports
The file imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system.
trigger_AutoClose
The VBA script within the file is likely trying to execute automatically when the file is closing.
trigger_Auto_Close
The VBA script within the file is likely trying to execute automatically when the file is closing.
trigger_AutoExec
The VBA script within the file is likely trying to execute automatically.
trigger_AutoExit
The VBA script within the file is likely trying to execute automatically when the document is closing.
trigger_AutoNew
The VBA script within the file is likely trying to execute automatically when a new document is being created.
trigger_AutoOpen
The VBA script within the file is likely trying to execute as soon as the file is opened.
trigger_Auto_Open
The VBA script within the file is likely trying to execute as soon as the file is opened.
trigger_DocumentBeforeClose
The VBA script within the file is likely trying to execute automatically just before the file closes.
trigger_DocumentChange
The VBA script within the file is likely trying to execute automatically when the file is being changed.
trigger_Document_Close
The VBA script within the file is likely trying to execute automatically when the file is closing.
trigger_Document_New
The VBA script within the file is likely trying to execute automatically when a new file is being created.
trigger_DocumentOpen
The VBA script within the file is likely trying to execute as soon as the file is opened.
trigger_Document_Open
The VBA script within the file is likely trying to execute as soon as the file is opened.
trigger_NewDocument
The VBA script within the file is likely trying to execute automatically when a new file is being created.
trigger_Workbook_Close
The VBA script within the file is likely trying to execute automatically when a
Microsoft Excel
workbook is closing.
trigger_Workbook_Open
The VBA script within the file is likely trying to execute automatically when a
Microsoft Excel
workbook is opening.
UserManagementImports
The file imports functions that can be used to change users on the local system. It can add, delete, or change key user details. Malware can use this capability to achieve persistence or to cause harm to the local system.
VirtualAllocImports
The file imports functions that are used to create memory in a running process. Malware does this to inject itself into a running process.

Shellcodes

These indicators represent situations where a small piece of code is used as the payload in the exploitation of a software vulnerability. It is called shellcode because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.
Indicator
Description
ApiHashing
The file contains a byte sequence that looks like shellcode that tries to stealthily find library APIs loaded in memory.
BlackholeV2
The file looks like it might have come from the Blackhole exploit kit.
ComplexGotoEmbed
The file may be able to force a browser to go to an address or perform an action.
ComplexSuspiciousHeaderLocation
The PDF header is located at a non-zero offset which may indicate an attempt to prevent this file from being recognized as a PDF document.
EmbeddedTiff
The file may contain a crafted TIFF image with nop-sled to facilitate exploitation.
EmbeddedXDP
The file likely contains another PDF as an XML Data Package (XDP).
FindKernel32Base1
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.
FindKernel32Base2
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.
FindKernel32Base3
The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.
FunctionPrologSig
The file contains a byte sequence that is a typical function prolog, and likely contains shellcode.
GetEIP1
The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.
GetEIP4
The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.
IndirectFnCall1
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.
IndirectFnCall2
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.
IndirectFnCall3
The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.
SehSig
The file contains a byte sequence that is typical for Structured Exception Handling (SEH), and likely contains shellcode.
StringLaunchActionBrowser
The file may be able to force a browser to go to an address or perform an action.
StringLaunchActionShell
The file may be able to execute shell actions.
StringSingExploit
The file might contain an exploit.

Miscellaneous indicators

This section lists the indicators that do not fit into the other categories.
Indicator
Description
AutoitFileOperations
The AutoIt script can perform multiple actions on files. This may be used for information gathering, persistence, or destruction.
AutorunString
The file has the capability to achieve persistence by using autorun mechanism(s).
CodepageLookupImports
The file imports functions used to look up the codepage (location) of a running system. Malware uses this to differentiate which country/region a system is running in to better target particular groups.
MutexImports
The file imports functions to create and manipulate mutex objects. Malware frequently uses mutexes to avoid infecting a system multiple times.
OpenSSL
Static
The file contains a version of
OpenSSL
compiled to appear stealthy. Malware does this to include cryptography functionality without leaving strong evidence of it.
PListString
The file has the capability to interact with property lists that are used by the operating system. This may be used to achieve persistence or to subvert various processes.
PrivEscalationCryptBase
The file shows evidence of attempting to use a privilege escalation using CryptBase. Malware uses this to gain more privileges on the affected system.
ShellCommandString
The file has the capability to use sensitive shell commands for reconnaissance, elevation of privilege, or data destruction.
SystemCallSuspicious
The file has the capability to monitor or control system and other processes, performing debug-like actions.