Threat indicators

This object utilizes the 16 bit subsystem. Malware uses this to exist in a less secure and less monitored part of the operating system, and frequently to perform privilege escalation attacks.

This PE appears to be lying about when it was written, which is atypical for professionally written software.

This PE has some extra content appended to it, beyond the normal areas of the file. Appended data can frequently be used to embed malicious code or data and is frequently overlooked by protection systems.

AutoIt script is capable of performing debug activities.

AutoIt script uses many external DLL calls. AutoIt runtime already has many common functions, therefore using additional functionality from external DLLs may be a sign of maliciousness.

AutoIt script creates synchronization objects. This is often used by malware to prevent multiple infection of the same target.

AutoIt script is likely performing process carving to run code that appears to come from another process. This is often done to hinder detection.

AutoIt script is likely performing process injection to run code in other processes context to possibly stay undetected or steal data.

AutoIt script writes into the Windows registry.

This object contains evidence of usage of BASE64 Encoding of an alphabet. Malware does this to attempt to avoid common detection, or to attack other programs using BASE64 encoding.

This sample imports functions that can be used to read arguments from a command line. Malware uses this to collect information on subsequent runs.

The document contains multiple streams with multiple filters.

The document contains an anomalously high number of obfuscated names.

The document uses EmbeddedFiles features from newer versions of the PDF standard than the document declares.

The document uses the FlateDecode feature from newer versions of the PDF standard than the document declares.

The document uses the JBIG2Decode feature from newer versions of the PDF standard than the document declares.

The document uses JavaScript features from newer versions of the PDF standard than the document declares.

The document uses XFA features from newer versions of the PDF standard than the document declares.

The document uses XOBject features from newer versions of the PDF standard than the document declares.

The document contains flash objects.

Indicates embedded executable files.

The document contains U3D objects.

The document uses an invalid or unrecognized locale, possibly to avoid detection.

The document metadata is obviously bogus or corrupt.

The document structure is not valid - sizes, metadata, or internal sector allocation table is wrong. May be indicative of an exploit.

This object demonstrates an inconsistency in its manifest. Malware does this to avoid detection, but rarely covers its tracks deeply.

This PE is a DLL with a nontrivial entry point. This is common among DLLs, but a malicious DLL may use its entry point to take up residence in a process.

Some strings within the document contain null-characters in the middle.

The document contains an anomalously high number of Null values in arrays.

The document contains an anomalously high number of arrays containing different types of elements.

The document contains an anomalously high number of email links (mailto:).

The document has an unusual structure of page objects - a high number of child page objects per node.

The document may attempt to obfuscate its contents by using long encoded strings.

The document contains an anomalously high minimal length of an escaped name.

The document may attempt to obfuscate its contents by storing much of its content in encoded strings.

The document contains an anomalously high number of names escaped with uppercase hexadecimal characters.

The document contains an anomalously high number of valid escaped names.

The document contains an anomalously high max number of escaped characters per single name.

The document contains an anomalously high number of unnecessarily escaped names.

The document contains an anomalously high number of numbers that start with 8 in decimal representation.

The document contains an anomalously high number of numbers with explicit plus sign.

The document contains an anomalously high max length of a real number.

The document contains an anomalously high number of child page objects.

The document contains an anomalously high number of page objects.

The document contains an anomalously long end of file sequence(s).

The document contains an anomalously high number of strings escaped with lowercase hexadecimal digits.

The document contains an anomalously high max length of a literal string.

The document contains an anomalously high number of octal escaped characters in strings that are unnecessarily zero-padded.

The document contains an anomalously large spread between trailer objects.

The document contains an anomalously high max length of a comment.

The document contains unusual short comments that are not used by reader software.

The document contains an unusually large amount of commented out data.

The document contains an anomalously high number of short end-of-line characters.

The document contains an anomalously high number of zero-bytes used as whitespace.

The document contains an anomalously high number of 09 bytes used as whitespace.

The document contains an anomalously long whitespace area.

The document contains an anomalously high amount of whitespace.

The document contains an anomalously high number of u3d objects.

This object contains evidence of having a standard windows batch file included. Malware does this to avoid common scanning techniques and to provide persistence.

This object shows evidence of including some components from DinkumWare. Dinkumware is frequently used in various malware components.

Reports suspicious OOXML properties.

This object imports functions used to raise exceptions within a program. Malware does this to implement tactics that make standard dynamic code analysis difficult to follow.

Document violates specification in terms of reserved fields usage.

This object contains an anomaly in the resource section. Malware frequently contains malformed or other odd bits in the resource section of a DLL.

This PE may contain modifiable code, which is at best unorthodox and at worst symptomatic of a virus infection. Frequently, this feature implies that the object has been built using something other than a standard compiler, or has been modified after it was originally built.

Reports structural oddities with OLE sector allocation.

One of the references to a string in a string table pointed to a negative offset.

A string table was not terminated with a null byte. This could cause a fault at runtime due to a string that does not end.

One of the references to a string in a string table pointed after end of file.

This PE is hiding something in its "pdata" area, and we're not sure what. The pdata section in a PE file is generally used for process runtime structures, but this particular object contains something else.

This PE is hiding something in its "relocations" area, and we're not sure what. The relocations area in a PE file is generally used for relocating particular symbols, but this particular object contains something else.

OLE directory names associated with badness.

Reports oddities in the OLE directory structure.

Reports suspicious embedding of OLE.

Reports suspicious VBA code.

Reports suspicious VBA library usage.

Reports suspicious names associated with VBA structures.

Reports suspicious VBA versioning.

Reports certain usages of embedded SWF.

Document is so malformed that it could not be parsed completely.

This object has issues with how it presents its version information. Malware does this to avoid detection.

This object contains evidence of an intent to read passwords stored in browser caches. Malware uses this to collect the passwords for exfiltration.

This object contains evidence of interaction with a credential provider, or the desire to appear as one. Malware does this as credential providers get access to many types of sensitive data, such as usernames and passwords, and by acting as one they may be able to subvert the authentication integrity.

This object imports functions that are used to gather information about the currently logged in user. Malware uses this to determine paths of action to escalate privileges and to better tailor attacks.

This object imports functions that are used to output debug strings. Typically this is disabled in production software, but left on in malware that is being tested.

This object imports functions that can be used to gather details about volumes on the system. Malware uses this in conjunction with listing to determine facts about the volumes in preparation for a further attack.

This object imports functions that are used to list files. Malware uses this to look for sensitive data, or to find further points of attack.

This object imports functions that can be used to list all of the DLLs a running process uses. Malware uses this capability to locate and target specific libraries for loading into a process, and to map out a process it wishes to inject into.

This object demonstrates evidence of a capability to attempt to numerate connected networks and network adapters. Malware will do this to determine where a target system lies in relation to others, and to look for possible lateral paths.

This object imports functions that can be used to list all of the running processes on a system. Malware used this capability to locate processes to inject into or those that it wishes to delete.

This object imports functions that can be used to list the volumes on the system. Malware uses this to find all of the areas it might need to search for data, or to spread an infection.

This object imports functions that are used to access Gina. Malware does this to attempt to breach the secure ctrl-alt-delete password entry system or other network login functions.

This object imports functions that are used to gather information about hostnames on the network and the hostname of the machine itself. Malware uses this capability to better target further attacks or scan for new targets.

This object imports functions that can capture and log keystrokes from the keyboard. Malware uses this to capture and save keystrokes to find sensitive information such as passwords.

This object imports functions that are used to gather information about the current operating system. Malware uses this to determine how to better tailor further attacks and to report information back to a controller.

This object contains evidence of keylogger type activity. Malware uses keyloggers to collect sensitive information from the keyboard.

This object has evidence of including common passwords, or structure that would enable brute forcing common passwords. Malware uses this to attempt to further penetrate a network by accessing other resources via password.

This object imports functions that can be used to determine details about the processor. Malware uses this to tailor attacks and exfiltrate this data to common command and control infrastructure.

This object shows evidence of interacting with the Remote Desktop Protocol (RDP). Malware frequently uses this to move laterally and to offer direct command and control functionality.

Indicates possible spying on clipboard or user actions via accessibility API usage.

This object imports functions used to locate the system directory. Malware does this to find where many of the installed system binaries are located, as it frequently hides among them.

This object imports functions that are used to gather information about the environment of the current logged in user. Malware uses this to determine details about the logged in user and look for other intelligence that can be gleaned from the environment variables.

This object implements a non-standard method of networking. Malware does this to avoid detection of more common networking approaches.

Indicates capability to enumerate or install browser plugins.

This object contains evidence of attempting to create a custom UserAgent string. Malware frequently uses common UserAgent strings to avoid detection in outgoing requests.

This object imports functions that can be used to download files to the system. Malware uses this as both a way to further stage an attack and to exfiltrate data via the outbound URL.

This object imports functions used to modify the local windows firewall. Malware uses this to open holes and avoid detection.

This object contains evidence of the creation of other custom HTTP headers. Malware does this to facilitate interactions with command and control infrastructures and to avoid detection.

This object contains evidence of interaction with an IRC server. Malware commonly uses IRC to facilitate a command and control infrastructure.

This object imports functions that can be used to read memory from a running process. Malware uses this to determine proper places to insert itself, or to extract useful information from a running process’s memory, like passwords, credit cards, or other sensitive information.

This object imports functions that can be used to send data out to the network or the general internet. Malware uses this as a method for exfiltration of data or as a method for command and control.

This object imports functions that allow the manipulation of named pipes. Malware uses this as a method of communication, and of data exfiltration.

This object imports functions that allow it to interact with Remote Procedure Call (RPC) infrastructure. Malware uses this to spread, or to send data to remote systems for exfiltration.

Document contains an add-obfuscated PE header that may be a hidden malicious payload.

Document contains an add-obfuscated reference to kernel32.dll – a library that may be used by malicious payload.

Document contains an add-obfuscated reference to mscoree.dll – a library that may be used by malicious payload.

Document contains an add-obfuscated reference to msvbvm – a library that may be used by malicious payload compiled for VB6.

This object demonstrates features that can be used to determine if the process is running in a virtual machine. Malware does this to avoid running in virtualized sandboxes that are becoming more common.

AutoIt script is capable of downloading and executing files. This is often done to deliver additional malicious payloads.

AutoIt script is likely obfuscated with string concatenation. This is often done to avoid detection of (whole) suspicious commands.

AutoIt script uses CallWindowProc winapi function that may be indicative of injecting shellcode.

This object shows evidence of containing a CAB file. Malware does this to package sensitive components in a way that many detection systems can’t see.

Document contains reference to kernel32.dll – a library that may be used by malicious payload.

Document contains reference to mscoree.dll – a library that may be used by malicious payload.

Document contains reference to msvbvm – a library that may be used by malicious payload compiled for VB6.

The document declares the wrong PDF version.

The document may contain JavaScript code hidden in literal strings.

This object contains a document embedded inside the object. Malware can use this to spread an attack to multiple sources, or to otherwise hide its true form.

This object contains evidence of having an embedded cryptographic key. Malware does this to avoid detection and perhaps as authentication with remote services.

This object imports functions that would allow it to act like a debugger. Malware uses this capability to read and write from other processes.

This PE has additional PEs within it, which is usually only the case with software installation programs. Frequently malware will embed a PE file that it then drops to disk and executes. This technique is often used to avoid protection scanners by packaging binaries in a format that the underlying scanning technology doesn’t understand.

Document contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.

Document contains an obfuscated PE DOS stub that may belong to a hidden malicious payload.

This PE has additional PEs hidden within it, which is extremely suspicious. Similar to the last, but uses an encoding scheme to attempt to further hide the binary inside the object.

This object contains evidence of the capability to execute a DLL using common methods. Malware does this as a method to avoid common detection practices.

This PE claims to be written by Microsoft, but it doesn't look like a Microsoft PE. Malware commonly masquerades as Microsoft PEs in order to look inconspicuous.

Has another MachO executable file within, which is not properly declared. This may be an attempt to hide the payload from being easily detected.

This object contains evidence of manipulation of the browser UserAgent. Malware does this to facilitate interactions with command and control infrastructures and to avoid detection.

This PE has the ability to inject code into other processes. This capability frequently implies that a process is attempting to be deceptive or hostile in some way.

This PE appears to run invisibly, but it isn't a background service. It might be designed to remain hidden.

The document contains unusually suspicious JavaScript.

This object shows evidence of interacting with the core windows certificate store. Malware does this to collect credentials and insert rogue keys into the stream to facilitate things like man in the middle attacks.

This object imports functions to use the core windows crypto library. Malware will use this to leverage the locally installed cryptography so it doesn’t need to carry its own around.

The document may attempt path traversal using relative paths like "../".

The document contains an unusually high number of JavaScript-related streams.

The document contains an anomalously high number of JavaScript tokens.

The document may contain obfuscated JavaScript or can run dynamically loaded JavaScript with eval().

The document may contain obfuscated JavaScript.

The document contains an anomalously high number of suspicious names.

The document contains an anomalously high number of obfuscated names.

The document contains embedded PE file(s).

The document contains an SWF object with an unusual version number.

The document contains an SWF object with unusual compression parameters.

The document contains an anomalously high number of individual JavaScript scripts.

The document contains an SWF object with unusual compression flag parameters.

Document contains a DOS stub – indicative of PE file inclusion.

Document contains a DOS stub – indicative of PE file inclusion.

Document contains PE file header data that does not belong in the document structure.

Document contains a PE file that does not belong in the document structure.

Document contains a PE file that does not belong in the document structure.

This object seems to be looking for common protection systems. Malware does this to initiate an anti-protection action tailored to that installed on the system.

A segment has either an invalid string as a name, or an unusual non-standard name. This may indicate post-compilation tampering or use of packers or obfuscators.

Segment size is significantly different from size of all content (sections) within. This may indicate usage of unreferenced area, or reservation of space for runtime unpacking of malicious code.

This object seems to be a self-extracting archive. Malware frequently uses this tactic to obfuscate their true intentions.

This object seems to be a service DLL. Service DLL’s are loaded in svchost.exe processes and are a common persistence methodology for malware.

The document contains suspicious JS tokens.

Document contains a Shockwave flash object that does not belong in the document structure.

This object imports functions used to access and manipulate temporary files. Malware does this as temporary files tend to avoid detection.

This object seems to have portions of the code that appear to be compressed. Malware uses these techniques to avoid detection.

This object imports functions that are used to modify the memory of a running process. Malware does this to inject itself into running processes.

Document contains a xor-obfuscated PE header that may be a hidden malicious payload.

Document contains a xor-obfuscated reference to kernel32.dll – a library that may be used by malicious payload.

Document contains a xor-obfuscated reference to mscoree.dll – a library that may be used by malicious payload.

Document contains a xor-obfuscated reference to msvbvm – a library that may be used by malicious payload compiled for VB6.

VBA script within the document is likely writing bytes to a file – which is an unusual action for legitimate documents.

VBA script within the document is likely using hexadecimal to binary conversion that may indicate decoding a hidden malicious payload.

The document contains a link that does not belong in the document structure.

The document contains suspicious data outside of document structure that may be indicative of an exploit.

The document contains a macro script that does not belong in the document structure.

The document contains a nop-sled that does not belong in the document structure – this is almost certainly there to facilitate exploitation.

This object attempts to interact with common methods of persistence (startup scripts, etc). Malware commonly uses these tactics to attain persistence.

Has capabilities to kill processes or shutdown the machine via shell commands.

This PE imports functions that can be used to delete Files or Directories. Malware uses this to break systems and cover its tracks.

The document likely contains heap spray code.

This object demonstrates evidence of a desire to lock out common tools by policy. Malware will do this to retain persistence and make detection and cleanup more difficult.

This object imports functions that are used to manipulate the windows registry. Malware does this to attain persistence, avoid detection, and for many other reasons.

This PE might attempt to read files to which it has not been granted access. SeBackup privilege allows access to files without honoring access controls. It is frequently used by programs that handle backups, and is frequently limited to administrative users, but can be used maliciously to get access to specific elements that might otherwise be difficult.

This PE might attempt to tamper with system processes. SeDebug Privilege is used to access processes other than your own and is frequently limited to administrative users. It is often paired with reading and writing to other processes.

This PE might attempt to change or delete files to which it has not been granted access. The pair to SeBackup, SeRestore privilege allows writing without consideration of access control.

This object imports functions that can control windows services on the current system. Malware uses this to either launch itself into the background via installing as a service, or to disable other services that may have a protective function.

The document contains an unmodified version of skylined heap spray code.

This PE imports functions that can be used to spawn another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet.

The document contains JavaScript code that is likely capable of exploitation.

The document contains JavaScript obfuscation tokens.

This object imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system.

VBA script within the document is likely trying to execute automatically.

VBA script within the document is likely trying to execute as soon as the document is opened.

VBA script within the document is likely trying to execute as soon as the document is opened.

VBA script within the document is likely trying to execute as soon as the document is opened.

VBA script within the document is likely trying to execute automatically when the document is closing.

VBA script within the document is likely trying to execute automatically when the document is closing.

VBA script within the document is likely trying to execute automatically when the document is closing.

VBA script within the document is likely trying to execute automatically just before the document closes.

VBA script within the document is likely trying to execute automatically when the document is being changed.

VBA script within the document is likely trying to execute automatically when a new document is being created.

VBA script within the document is likely trying to execute automatically when a new document is being created.

VBA script within the document is likely trying to execute automatically when a new document is being created.

VBA script within the document is likely trying to execute as soon as the document is opened.

VBA script within the document is likely trying to execute as soon as an Excel workbook is opened.

VBA script within the document is likely trying to execute automatically when the document is closing.

VBA script within the document is likely trying to execute automatically when an Excel workbook is closing.

This object imports functions that can be used to change users on the local system. It can add, delete, or change key user details. Malware can use this capability to achieve persistence or cause harm to the local system.

This object imports functions that are used to create memory in a running process. Malware does this to inject itself into a running process.

Document contains a byte sequence that looks like shellcode that tries to stealthily find library APIs loaded in memory.

The document looks like it might have come from the Blackhole exploit kit.

The document may be able to force a browser to go to an address or perform an action.

PDF header located at non-zero offset which may indicate an attempt to prevent this document from being recognized as a PDF document.

The document may contain a crafted tiff image with nopsled to facilitate exploitation.

The document likely contains another PDF as an xml (XDP).

The document contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The document contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The document contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory.

The document contains a byte sequence that is a typical function prolog - likely contains shellcode.

The document contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.

The document contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation.

The document contains a byte sequence that looks like an indirect function call – likely shellcode.

The document contains a byte sequence that looks like an indirect function call – likely shellcode.

The document contains a byte sequence that looks like an indirect function call – likely shellcode.

The document contains a byte sequence that is typical for Structured Exception Handling – likely contains shellcode.

The document may be able to force a browser to go to an address or perform an action.

The document may be able to execute shell actions.

The document might contain an exploit.

AutoIt script is capable of performing multiple actions on files. This may be used for information gathering, persistence, or destruction.

Indicates capability to achieve persistence by using autorun mechanism(s).

This object imports functions used to look up the codepage (location) of a running system. Malware uses this to differentiate which country/region a system is running in to better target particular groups.

This object imports functions to create and manipulate Mutex objects. Malware frequently uses mutexes to avoid infecting a system multiple times.

This object contains a version of openSSL compiled to appear stealthy. Malware will do this to include cryptography functionality without leaving strong evidence of it.

Indicates capability to interact with property lists that are used by the OS. This may be used to achieve persistence or subvert various processes.

This object shows evidence of attempting to use a particular privilege escalation using CryptBase. Malware uses this to gain more privileges on the affected system.

Indicates capability to use sensitive shell commands for reconnaissance, elevation of privilege, or data destruction.

Indicates capability to monitor and/or control system and other processes, perform debug-like actions.