Anomalies

The file utilizes the 16-bit subsystem. Malware uses this to exist in a less secure and monitored part of the operating system, and frequently to perform privilege escalation attacks.

This PE appears to be lying about when it was written, which is atypical for professionally written software.

This PE has some extra content appended to it, beyond the normal areas of the file. Appended data can frequently be used to embed malicious code or data, and is frequently overlooked by protection systems.

The AutoIt script can perform debug activities.

The AutoIt script uses many external DLL calls. The AutoIt runtime already has many common functions, therefore using additional functionality from external libraries may be a sign of maliciousness.

The AutoIt script creates synchronization objects. This is often used by malware to prevent multiple infections of the same target.

The AutoIt script is likely performing process carving to run its own code that appears to come from another process. This is often done to hinder detection.

The AutoIt script is likely performing process injection to run code in other processes' context possibly to stay undetected or to steal data.

The AutoIt script writes into

Windows

registry.

The file contains evidence of usage of Base64 encoding of an alphabet. Malware does this to attempt to avoid common detection or to attack other programs using Base64 encoding.

The file imports functions that can be used to read arguments from a command line. Malware uses this to collect information on subsequent runs.

The file contains multiple streams with multiple filters.

The file contains an anomalously high number of obfuscated names.

The file uses the EmbeddedFiles features from newer versions of the PDF standard than the file declares.

The file uses the FlateDecode feature from newer versions of the PDF standard than the file declares.

The file uses the JBIG2Decode feature from newer versions of the PDF standard than the file declares.

The file uses

JavaScript

features from newer versions of the PDF standard than the file declares.

The file uses XFA features from newer versions of the PDF standard than the file declares.

The file uses XOBject features from newer versions of the PDF standard than the file declares.

The file contains flash objects.

The file contains embedded executable files.

The file contains U3D objects.

The file uses an invalid or unrecognized locale, possibly to avoid detection.

The file metadata is obviously bogus or corrupt.

The file structure is not valid. The sizes, metadata, or internal sector allocation table is wrong, which may indicate an exploit.

The file demonstrates an inconsistency in its manifest. Malware does this to avoid detection, but rarely covers its tracks deeply.

This PE is a DLL with a nontrivial entry point. This is common among DLLs, but a malicious DLL may use its entry point to take up residence in a process.

Some strings within the file contain null characters in the middle.

The file contains an anomalously high number of null values in arrays.

The file contains an anomalously high number of arrays containing different types of elements.

The file contains an anomalously high number of email links (mailto:).

The file has an unusual structure of page objects, such as a high number of child-page objects per node.

The file may attempt to obfuscate its contents by using long encoded strings.

The file contains an anomalously high minimum length of an escaped name.

The file may attempt to obfuscate its contents by storing much of its content in encoded strings.

The file contains an anomalously high number of names escaped with uppercase hexadecimal characters.

The file contains an anomalously high number of valid escaped names.

The file contains an anomalously high maximum number of escaped characters per single name.

The file contains an anomalously high number of unnecessarily escaped names.

The file contains an anomalously high number of numbers that start with 8 in decimal representation.

The file contains an anomalously high number of numbers with an explicit plus sign.

The file contains an anomalously high maximum length of a real number.

The file contains an anomalously high number of child-page objects.

The file contains an anomalously high number of page objects.

The file contains an anomalously long end-of-file sequence(s).

The file contains an anomalously high number of strings escaped with lowercase hexadecimal digits.

The file contains an anomalously high maximum length of a literal string.

The file contains an anomalously high number of octal escaped characters in strings that are unnecessarily zero-padded.

The file contains an anomalously large spread between trailer objects.

The file contains an anomalously high maximum length for a comment.

The file contains unusual short comments that are not used by reader software.

The file contains an unusually large amount of commented-out data.

The file contains an anomalously high number of short end-of-line characters.

The file contains an anomalously high number of zero-bytes used as whitespace.

The file contains an anomalously high number of 09 bytes used as whitespace.

The file contains an anomalously long whitespace area.

The file contains an anomalously high number of whitespaces.

The file  contains an anomalously high number of U3D objects.

The file contains evidence of having a standard

Windows

batch file included. Malware does this to avoid common scanning techniques and to provide persistence.

The file shows evidence of including some components from DinkumWare. Dinkumware is frequently used in various malware components.

The file contains suspicious OOXML properties.

The file imports functions used to raise exceptions within a program. Malware does this to implement tactics that make standard dynamic code analysis difficult to follow.

The file violates the specification in terms of the use of reserved fields.

The file contains an anomaly in the resource section. Malware frequently contains malformed or other odd bits in the resource section of a DLL.

This PE may contain modifiable code, which is at best unorthodox and at worst symptomatic of a virus infection. Frequently, this feature implies that the file has been built using something other than a standard compiler or has been modified after it was originally built.

The file contains structural oddities with OLE sector allocation.

One of the references to a string in a string table pointed to a negative offset.

A string table was not terminated with a null byte. This could cause a fault at runtime due to a string that does not end.

One of the references to a string in a string table pointed to a location after the end of a file.

This PE is hiding something in its "pdata" area, but it is not clear what it is. The "pdata" area in a PE file is generally used for process runtime structures, but this particular file contains something else.

This PE is hiding something in its "relocations" area, but it is not clear what it is. The "relocations" area in a PE file is generally used for relocating particular symbols, but this particular file contains something else.

The file contains OLE directory names that are suspicious.

The file has oddities in the OLE directory structure.

The file uses suspicious embedding of OLE.

The file contains suspicious VBA code.

The file shows suspicious VBA library usage.

The file contains suspicious names associated with VBA structures.

The file contains suspicious VBA versioning.

The file contains certain questionable usages of embedded SWF.

The file is so malformed that it could not be parsed completely.

The file has issues with how it presents its version information. Malware does this to avoid detection.