Threat indicators

The file utilizes the 16-bit subsystem. Malware uses this to exist in a less secure and less monitored part of the operating system, and frequently to perform privilege escalation attacks.

This PE appears to be lying about when it was written, which is atypical for professionally written software.

This PE has some extra content appended to it, beyond the normal areas of the file. Appended data can frequently be used to embed malicious code or data, and is frequently overlooked by protection systems.

The AutoIt script is capable of performing debug activities.

The AutoIt script uses many external DLL calls. The AutoIt runtime already has many common functions, therefore using additional functionality from external DLLs may be a sign of maliciousness.

The AutoIt script creates synchronization objects. This is often used by malware to prevent multiple infections of the same target.

The AutoIt script is likely performing process carving to run its own code that appears to come from another process. This is often done to hinder detection.

The AutoIt script is likely performing process injection to run code in other processes' context possibly to stay undetected or to steal data.

The AutoIt script writes into the

Windows

registry.

The file contains evidence of usage of Base64 encoding of an alphabet. Malware does this to attempt to avoid common detection, or to attack other programs using Base64 encoding.

The file imports functions that can be used to read arguments from a command line. Malware uses this to collect information on subsequent runs.

The file contains multiple streams with multiple filters.

The file  contains an anomalously high number of obfuscated names.

The file uses EmbeddedFiles features from newer versions of the PDF standard than the file declares.

The file uses the FlateDecode feature from newer versions of the PDF standard than the file declares.

The file uses the JBIG2Decode feature from newer versions of the PDF standard than the file declares.

The file uses

JavaScript

features from newer versions of the PDF standard than the file declares.

The file uses XFA features from newer versions of the PDF standard than the file declares.

The file uses XOBject features from newer versions of the PDF standard than the file declares.

The file contains flash objects.

The file contains embedded executable files.

The file contains U3D objects.

The file uses an invalid or unrecognized locale, possibly to avoid detection.

The file metadata is obviously bogus or corrupt.

The file structure is not valid. The sizes, metadata, or internal sector allocation table is wrong, which may indicate an exploit.

The file demonstrates an inconsistency in its manifest. Malware does this to avoid detection, but rarely covers its tracks deeply.

This PE is a DLL with a nontrivial entry point. This is common among DLLs, but a malicious DLL may use its entry point to take up residence in a process.

Some strings within the file contain null characters in the middle.

The file contains an anomalously high number of null values in arrays.

The file contains an anomalously high number of arrays containing different types of elements.

The file contains an anomalously high number of email links (mailto:).

The file has an unusual structure of page objects, such as a high number of child-page objects per node.

The file may attempt to obfuscate its contents by using long encoded strings.

The file contains an anomalously high minimum length of an escaped name.

The file may attempt to obfuscate its contents by storing much of its content in encoded strings.

The file contains an anomalously high number of names escaped with uppercase hexadecimal characters.

The file contains an anomalously high number of valid escaped names.

The file contains an anomalously high maximum number of escaped characters per single name.

The file contains an anomalously high number of unnecessarily escaped names.

The file contains an anomalously high number of numbers that start with 8 in decimal representation.

The file contains an anomalously high number of numbers with explicit plus sign.

The file contains an anomalously high maximum length of a real number.

The file contains an anomalously high number of child-page objects.

The file contains an anomalously high number of page objects.

The file contains an anomalously long end-of-file sequence(s).

The file contains an anomalously high number of strings escaped with lowercase hexadecimal digits.

The file contains an anomalously high maximum length of a literal string.

The file contains an anomalously high number of octal escaped characters in strings that are unnecessarily zero-padded.

The file contains an anomalously large spread between trailer objects.

The file contains an anomalously high maximum length for a comment.

The file contains unusual short comments that are not used by reader software.

The file contains an unusually large amount of commented-out data.

The file contains an anomalously high number of short end-of-line characters.

The file contains an anomalously high number of zero-bytes used as whitespace.

The file contains an anomalously high number of 09 bytes used as whitespace.

The file contains an anomalously long whitespace area.

The file contains an anomalously high number of whitespaces.

The file contains an anomalously high number of U3D objects.

The file contains evidence of having a standard

Windows

batch file included. Malware does this to avoid common scanning techniques and to provide persistence.

The file shows evidence of including some components from DinkumWare. Dinkumware is frequently used in various malware components.

The file contains suspicious OOXML properties.

The file imports functions used to raise exceptions within a program. Malware does this to implement tactics that make standard dynamic code analysis difficult to follow.

The file violates the specification in terms of the use of reserved fields.

The file contains an anomaly in the resource section. Malware frequently contains malformed or other odd bits in the resource section of a DLL.

This PE may contain modifiable code, which is at best unorthodox and at worst symptomatic of a virus infection. Frequently, this feature implies that the file has been built using something other than a standard compiler, or has been modified after it was originally built.

The file contains structural oddities with OLE sector allocation.

One of the references to a string in a string table pointed to a negative offset.

A string table was not terminated with a null byte. This could cause a fault at runtime due to a string that does not end.

One of the references to a string in a string table pointed to a location after the end of a file.

This PE is hiding something in its "pdata" area, but it is not clear what it is. The "pdata" area in a PE file is generally used for process runtime structures, but this particular file contains something else.

This PE is hiding something in its "relocations" area, but it is not clear what it is. The "relocations" area in a PE file is generally used for relocating particular symbols, but this particular file contains something else.

The file contains OLE directory names associated with badness.

The file has oddities in the OLE directory structure.

The file uses suspicious embedding of OLE.

The file contains suspicious VBA code.

The file shows suspicious VBA library usage.

The file contains suspicious names associated with VBA structures.

The file contains suspicious VBA versioning.

The file contains certain questionable usages of embedded SWF.

The file is so malformed that it could not be parsed completely.

The file has issues with how it presents its version information. Malware does this to avoid detection.

The file contains evidence of an intent to read passwords stored in browser caches. Malware uses this to collect the passwords for exfiltration.

The file contains evidence of interaction with a credential provider, or the desire to appear as one. Malware does this because credential providers get access to many types of sensitive data, such as usernames and passwords, and by acting as one, they may be able to subvert the authentication integrity.

The file imports functions that are used to gather information about the currently logged-in user. Malware uses this to determine paths of action to escalate privileges and to better tailor attacks.

The file imports functions that are used to output debug strings. Typically, this is disabled in production software, but left on in malware that is being tested.

The file imports functions that can be used to gather details about volumes on the system. Malware uses this in conjunction with listing to determine facts about the volumes in preparation for a further attack.

The file imports functions that are used to list files. Malware uses this to look for sensitive data, or to find further points of attack.

The file imports functions that can be used to list all of the DLLs that a running process uses. Malware uses this capability to locate and target specific libraries for loading into a process, and to map out a process it wishes to inject into.

The file demonstrates evidence of a capability to attempt to enumerate connected networks and network adapters. Malware will do this to determine where a target system lies in relation to others, and to look for possible lateral paths.

The file imports functions that can be used to list all of the running processes on a system. Malware used this capability to locate processes to inject into or those that it wishes to delete.

The file imports functions that can be used to list the volumes on the system. Malware uses this to find all of the areas it might need to search for data, or to spread an infection.

The file imports functions that are used to access Gina. Malware does this to attempt to breach the secure ctrl-alt-delete password entry system or other network login functions.

The file imports functions that are used to gather information about host names on the network and the host name of the machine itself. Malware uses this capability to better target further attacks or scan for new targets.

The file imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as passwords.

The file imports functions that are used to gather information about the current operating system. Malware uses this to determine how to better tailor further attacks and to report information back to a controller.

The file contains evidence of key-logger type activity. Malware uses keyloggers to collect sensitive information from the keyboard.

The file has evidence of including common passwords, or a structure that would enable brute forcing common passwords. Malware uses this to attempt to penetrate a network further by accessing other resources via password.

The file imports functions that can be used to determine details about the processor. Malware uses this to tailor attacks and exfiltrate this data to common command-and-control infrastructure.

The file shows evidence of interacting with the Remote Desktop Protocol (RDP). Malware frequently uses this to move laterally and to offer direct command-and-control functionality.

The file is possibly spying on the clipboard or user actions via accessibility API usage.

The file imports functions used to locate the system directory. Malware does this to find where many of the installed system binaries are located, as it frequently hides among them.

The file imports functions that are used to gather information about the environment of the current logged-in user. Malware uses this to determine details about the logged-in user and look for other intelligence that can be gleaned from the environment variables.

The file implements a non-standard method of networking. Malware does this to avoid detection of more common networking approaches.

The file has the capability to enumerate or install browser plugins.

The file contains evidence of attempting to create a custom UserAgent string. Malware frequently uses common UserAgent strings to avoid detection in outgoing requests.

The file imports functions that can be used to download files to the system. Malware uses this as both a way to further stage an attack and to exfiltrate data via the outbound URL.

The file imports functions used to modify the local

Windows

firewall. Malware uses this to open holes and avoid detection.

The file contains evidence of the creation of other custom HTTP headers. Malware does this to facilitate interactions with command-and-control infrastructures and to avoid detection.

The file contains evidence of interaction with an IRC server. Malware commonly uses IRC to facilitate a command-and-control infrastructure.

The file imports functions that can be used to read memory from a running process. Malware uses this to determine proper places to insert itself, or to extract useful information from the memory of a running process, such as passwords, credit cards, or other sensitive information.

The file imports functions that can be used to send data out to the network or the general Internet. Malware uses this as a method for exfiltration of data or as a method for command and control.

The file imports functions that allow the manipulation of named pipes. Malware uses this as a method of communication and of data exfiltration.

The file imports functions that allow it to interact with Remote Procedure Call (RPC) infrastructure. Malware uses this to spread, or to send data to remote systems for exfiltration.

The file contains an additional, obfuscated PE header that may be a hidden malicious payload.

The file contains an additional, obfuscated reference to kernel32.dll, a library that may be used by malicious payload.

The file contains an additional, obfuscated reference to mscoree.dll, a library that may be used by malicious payload.

The file contains an additional, obfuscated reference to msvbvm, a library that may be used by malicious payload compiled for

Microsoft Visual Basic

6.

The file demonstrates features that can be used to determine if the process is running in a virtual machine. Malware does this to avoid running in virtualized sandboxes that are becoming more common.

The AutoIt script can download and execute files. This is often done to deliver additional malicious payloads.

The AutoIt script is likely obfuscated with string concatenation. This is often done to avoid detection of whole, suspicious commands.

The AutoIt script uses the CallWindowProc()

Windows

API function that may indicate the injection of shellcode.

The AutoIt script uses data from resources stored alongside the script. Malware often stores important parts of itself as resource data and unpacks them in runtime, and therefore this looks suspicious.

The file shows evidence of containing a CAB file. Malware does this to package sensitive components in a way that many detection systems cannot see.

The file contains a reference to kernel32.dll, a library that may be used by a malicious payload.

The file contains a reference to mscoree.dll, a library that may be used by a malicious payload.

The file contains a reference to msvbvm.dll, a library that may be used by malicious payload compiled for

Microsoft Visual Basic

6.

The file declares the wrong PDF version.

The file may contain

JavaScript

code hidden in literal strings.

The file contains a document embedded inside the object. Malware can use this to spread an attack to multiple sources or to otherwise hide its true form.

The file contains evidence of having an embedded cryptographic key. Malware does this to avoid detection and perhaps as authentication with remote services.

The file imports functions that would allow it to act like a debugger. Malware uses this capability to read and write from other processes.

The PE has additional PEs within it, which is usually only the case with software installation programs. Frequently malware embeds a PE file that it then drops to disk and executes. This technique is often used to avoid protection scanners by packaging binaries in a format that the underlying scanning technology does not understand.

The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.

The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.

The PE has additional PEs hidden within it, which is extremely suspicious. It is similar to the EmbeddedPE indicator, but uses an encoding scheme to attempt to further hide the binary inside the object.

The PE contains evidence of the capability to execute a DLL using common methods. Malware does this as a method to avoid common detection practices.

The PE claims to be written by

Microsoft

, but it does not look like a

Microsoft

PE. Malware commonly masquerades as

Microsoft

PEs in order to look inconspicuous.

The file has another MachO executable file within, which is not properly declared. This may be an attempt to hide the payload from being easily detected.

The file contains evidence of manipulation of the browser UserAgent. Malware does this to facilitate interactions with command-and-control and to avoid detection.

The PE can inject code into other processes. This capability frequently implies that a process is attempting to be deceptive or hostile in some way.

The PE appears to run invisibly, but it is not a background service. It might be designed to remain hidden.

The file contains unusually suspicious

JavaScript

.

The file shows evidence of interacting with the core

Windows

certificate store. Malware does this to collect credentials and to insert rogue keys into the stream to facilitate actions such as man-in-the-middle attacks.

The file imports functions to use the core

Windows

cryptography library. Malware will use this to leverage the locally installed cryptography so it does not need to carry around its own cryptography.

The file may attempt path traversal using relative paths such as "../".

The file may contain obfuscated

JavaScript

or can run dynamically loaded

JavaScript

with eval().

The file may contain obfuscated

JavaScript

.

The file contains an anomalously high number of individual

JavaScript

scripts.

The file contains an unusually high number of

JavaScript

-related streams.

The file contains an anomalously high number of

JavaScript

tokens.

The file contains an anomalously high number of

JavaScript

tokens.

The file contains an anomalously high number of suspicious names.

The file contains an anomalously high number of obfuscated names.

The file contains embedded PE file(s).

The file contains an SWF object with an unusual version number.

The file contains an SWF object with unusual compression parameters.

The file contains an SWF object with unusual compression flag parameters.

The file contains a DOS stub, indicative of PE file inclusion.

The file contains a DOS stub, indicative of PE file inclusion.

The file contains PE file header data that does not belong in the file structure.

The file contains a PE file that does not belong in the file structure.

The file contains a PE file that does not belong in the file structure.

The file seems to be looking for common protection systems. Malware does this to initiate an anti-protection action tailored to that installed on the system.

A segment has either an invalid string as a name or an unusual non-standard name. This may indicate post-compilation tampering or use of packers or obfuscators.

The segment size is significantly different from the size of all content sections within. This may indicate the use of an unreferenced area or the reservation of space for runtime unpacking of malicious code.

The file seems to be a self-extracting archive. Malware frequently uses this tactic to obfuscate their true intentions.

The file seems to be a service DLL. Service DLL’s are loaded in the svchost.exe process and are a common persistence methodology for malware.

The file contains suspicious JS tokens.

The file contains a Shockwave flash object that does not belong in the document structure.

The file imports functions used to access and manipulate temporary files. Malware does this because temporary files tend to avoid detection.

The file seems to have portions of the code that appear to be compressed. Malware uses these techniques to avoid detection.

The file imports functions that are used to modify the memory of a running process. Malware does this to inject itself into running processes.

The file contains an xor-obfuscated PE header that may be a hidden malicious payload.

The file contains an xor-obfuscated reference to kernel32.dll, a library that may be used by a malicious payload.

The file contains an xor-obfuscated reference to mscoree.dll, a library that may be used by a malicious payload.

The file contains an xor-obfuscated reference to msvbvm.dll, a library that may be used by a malicious payload compiled for

Microsoft Visual Basic

6.

The VBA script within the document is likely writing bytes to a file, which is an unusual action for a legitimate document.

The VBA script within the file is likely using hexadecimal-to-binary conversion that may indicate decoding a hidden malicious payload.

The file contains a link that does not belong in the file structure.

The file contains suspicious data outside of the file structure that may be indicative of an exploit.

The file contains a macro script that does not belong in the file structure.

The file contains a nop-sled that does not belong in the file structure; this is almost certainly there to facilitate exploitation.

The file attempts to interact with common methods of persistence (for example, startup scripts). Malware commonly uses these tactics to attain persistence.

The file has capabilities to kill processes or shut down the machine via shell commands.

The PE imports functions that can be used to delete files or directories. Malware uses this to break systems and cover its tracks.

The file likely contains heap spray code.

The file demonstrates evidence of a desire to lock out common tools by policy. Malware will do this to retain persistence and make detection and cleanup more difficult.

The file imports functions that are used to manipulate the

Windows

registry. Malware does this to attain persistence, avoid detection, and for many other reasons.

The PE might attempt to read files to which it has not been granted access. The SeBackup privilege allows access to files without honoring access controls. It is frequently used by programs that handle backups and is frequently limited to administrative users, but it can be used maliciously to gain access to specific elements that might otherwise be difficult to access.

The PE might attempt to tamper with system processes. The SeDebug Privilege is used to access processes other than your own and is frequently limited to administrative users. It is often paired with reading and writing to other processes.

The PE might attempt to change or delete files to which it has not been granted access. The SeRestore privilege allows writing without consideration of access control.

The file imports functions that can control

Windows

services on the current system. Malware uses this either to launch itself into the background via installing as a service, or to disable other services that may have a protective function.

The file contains an unmodified version of skylined heap spray code.

The PE imports functions that can be used to spawn another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet.

The file contains

JavaScript

code that is likely capable of exploitation.

The file contains

JavaScript

obfuscation tokens.

The file imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system.

The VBA script within the file is likely trying to execute automatically when the file is closing.

The VBA script within the file is likely trying to execute automatically when the file is closing.

The VBA script within the file is likely trying to execute automatically.

The VBA script within the file is likely trying to execute automatically when the document is closing.

The VBA script within the file is likely trying to execute automatically when a new document is being created.

The VBA script within the file is likely trying to execute as soon as the file is opened.

The VBA script within the file is likely trying to execute as soon as the file is opened.

The VBA script within the file is likely trying to execute automatically just before the file closes.

The VBA script within the file is likely trying to execute automatically when the file is being changed.

The VBA script within the file is likely trying to execute automatically when the file is closing.

The VBA script within the file is likely trying to execute automatically when a new file is being created.

The VBA script within the file is likely trying to execute as soon as the file is opened.

The VBA script within the file is likely trying to execute as soon as the file is opened.

The VBA script within the file is likely trying to execute automatically when a new file is being created.

The VBA script within the file is likely trying to execute automatically when a

Microsoft Excel

workbook is closing.

The VBA script within the file is likely trying to execute automatically when a

Microsoft Excel

workbook is opening.

The file imports functions that can be used to change users on the local system. It can add, delete, or change key user details. Malware can use this capability to achieve persistence or to cause harm to the local system.

The file imports functions that are used to create memory in a running process. Malware does this to inject itself into a running process.

The file contains a byte sequence that looks like shellcode that tries to stealthily find library APIs loaded in memory.

The file looks like it might have come from the Blackhole exploit kit.

The file may be able to force a browser to go to an address or perform an action.

The PDF header is located at a non-zero offset which may indicate an attempt to prevent this file from being recognized as a PDF document.

The file may contain a crafted TIFF image with nop-sled to facilitate exploitation.

The file likely contains another PDF as an XML Data Package (XDP).

The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The file contains a byte sequence that is a typical function prolog, and likely contains shellcode.

The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.

The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.

The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.

The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.

The file contains a byte sequence that looks like an indirect function call, and is likely shellcode.

The file contains a byte sequence that is typical for Structured Exception Handling (SEH), and likely contains shellcode.

The file may be able to force a browser to go to an address or perform an action.

The file may be able to execute shell actions.

The file might contain an exploit.

The AutoIt script can perform multiple actions on files. This may be used for information gathering, persistence, or destruction.

The file has the capability to achieve persistence by using autorun mechanism(s).

The file imports functions used to look up the codepage (location) of a running system. Malware uses this to differentiate which country/region a system is running in to better target particular groups.

The file imports functions to create and manipulate mutex objects. Malware frequently uses mutexes to avoid infecting a system multiple times.

The file contains a version of

OpenSSL

compiled to appear stealthy. Malware does this to include cryptography functionality without leaving strong evidence of it.

The file has the capability to interact with property lists that are used by the operating system. This may be used to achieve persistence or to subvert various processes.

The file shows evidence of attempting to use a privilege escalation using CryptBase. Malware uses this to gain more privileges on the affected system.

The file has the capability to use sensitive shell commands for reconnaissance, elevation of privilege, or data destruction.

The file has the capability to monitor or control system and other processes, performing debug-like actions.