Deception
These indicators represent situations where the file has elements that indicate capabilities or evidence of a file attempting to be deceptive. Deception can come in the form of hidden sections, inclusion of code to avoid detection, or indications that it is labeled improperly in metadata or other sections.
Indicator | Description |
|---|---|
AddedHeader | The file contains an additional, obfuscated PE header that may be a hidden malicious payload. |
AddedKernel32 | The file contains an additional, obfuscated reference to kernel32.dll, a library that may be used by a malicious payload. |
AddedMscoree | The file contains an additional, obfuscated reference to mscoree.dll, a library that may be used by a malicious payload. |
AddedMsvbvm | The file contains an additional, obfuscated reference to msvbvm.dll, a library that may be used by a malicious payload compiled for Microsoft Visual Basic 6. |
AntiVM | The file demonstrates features that can be used to determine if the process is running in a virtual machine. Malware does this to avoid running in virtualized sandboxes that are becoming more common. |
AutoitDownloadExecute | The AutoIt script can download and execute files. This is often done to deliver additional malicious payloads. |
AutoitObfuscationStringConcat | The AutoIt script is likely obfuscated with string concatenation. This is often done to avoid detection of whole, suspicious commands. |
AutoitShellcodeCalling | The AutoIt script uses the CallWindowProc() Windows API function that may indicate the injection of shellcode. |
AutoitUseResources | The AutoIt script uses data from resources stored alongside the script. Malware often stores important parts of itself as resource data and unpacks them in runtime, and therefore this looks suspicious. |
CabinentUsage | The file shows evidence of containing a CAB file. Malware does this to package sensitive components in a way that many detection systems cannot see. |
ClearKernel32 | The file contains a reference to kernel32.dll, a library that may be used by a malicious payload. |
ClearMscoree | The file contains a reference to mscoree.dll, a library that may be used by a malicious payload. |
ClearMsvbvm | The file contains a reference to msvbvm.dll, a library that may be used by a malicious payload compiled for Microsoft Visual Basic 6. |
ComplexInvalidVersion | The file declares the wrong PDF version. |
ComplexJsStenographySuspected | The file may contain JavaScript code hidden in literal strings. |
ContainsEmbeddedDocument | The file contains a document embedded inside the object. Malware can use this to spread an attack to multiple sources or to otherwise hide its true form. |
CryptoKeys | The file contains evidence of having an embedded cryptographic key. Malware does this to avoid detection and perhaps as authentication with remote services. |
DebugCheckImports | The file imports functions that would allow it to act like a debugger. Malware uses this capability to read and write from other processes. |
EmbeddedPE | The PE has additional PEs within it, which is usually only the case with software installation programs. Frequently, malware embeds a PE file that it then drops to disk and executes. This technique is often used to avoid protection scanners by packaging binaries in a format that the underlying scanning technology does not understand. |
EncodedDosStub1 | The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload. |
EncodedDosStub2 | The PE contains an obfuscated PE DOS stub that may belong to a hidden malicious payload. |
EncodedPE | The PE has additional PEs hidden within it, which is extremely suspicious. It is similar to the EmbeddedPE indicator, but uses an encoding scheme to attempt to further hide the binary inside the object. |
ExecuteDLL | The PE contains evidence of the capability to execute a DLL using common methods. Malware does this as a method to avoid common detection practices. |
FakeMicrosoft | The PE claims to be written by Microsoft but it does not look like a Microsoft PE. Malware commonly masquerades as Microsoft PEs to look inconspicuous. |
HiddenMachO | The file has another MachO executable file within, which is not properly declared. This may be an attempt to hide the payload from being easily detected. |
HTTPCustomUserAgent | The file contains evidence of manipulation of the browser UserAgent. Malware does this to facilitate interactions with command-and-control infrastructures and to avoid detection. |
InjectProcessImports | The PE can inject code into other processes. This capability frequently implies that a process is attempting to be deceptive or hostile in some way. |
InvisibleEXE | The PE appears to run invisibly, but it is not a background service. It might be designed to remain hidden. |
JSTokensSuspicious | The file contains unusually suspicious JavaScript . |
MSCertStore | The file shows evidence of interacting with the core Windows certificate store. Malware does this to collect credentials and to insert rogue keys into the stream to facilitate actions such as man-in-the-middle attacks. |
MSCryptoImports | The file imports functions to use the core Windows cryptography library. Malware uses this to leverage the locally installed cryptography so that it does not need to carry around its own cryptography. |
PDFParserDotDotSlash1URICount | The file may attempt path traversal using relative paths such as "../". |
PDFParserJavaScriptMagicseval~28 | The file may contain obfuscated JavaScript or can run dynamically loaded JavaScript with eval(). |
PDFParserJavaScriptMagicsunescape~28 | The file may contain obfuscated JavaScript . |
PDFParserjsObjectsLength | The file contains an anomalously high number of individual JavaScript scripts. |
PDFParserJSStreamCount | The file contains an unusually high number of JavaScript -related streams. |
PDFParserJSTokenCounts0cumulativesum | The file contains an anomalously high number of JavaScript tokens. |
PDFParserJSTokenCounts1cumulativesum | The file contains an anomalously high number of JavaScript tokens. |
PDFParserNamesAllNamesSuspicious | The file contains an anomalously high number of suspicious names. |
PDFParserNamesObfuscatedNamesSuspicious | The file contains an anomalously high number of obfuscated names. |
PDFParserPEDetections | The file contains embedded PE file(s). |
PDFParserSwfObjectsxObservationsxSWFObjectsversion | The file contains an SWF object with an unusual version number. |
PDFParserSwfObjectsxObservationsxSWFObjectsxZLibcmf | The file contains an SWF object with unusual compression parameters. |
PDFParserswfObjectsxObservationsxSWFObjectsxZLibflg | The file contains an SWF object with unusual compression flag parameters. |
PE_ClearDosStub1 | The file contains a DOS stub, indicative of PE file inclusion. |
PE_ClearDosStub2 | The file contains a DOS stub, indicative of PE file inclusion. |
PE_ClearHeader | The file contains PE file header data that does not belong in the file structure. |
PEinAppendedSpace | The file contains a PE file that does not belong in the file structure. |
PEinFreeSpace | The file contains a PE file that does not belong in the file structure. |
ProtectionExamination | The file seems to be looking for common protection systems. Malware does this to initiate an anti-protection action tailored to that installed on the system. |
SegmentSuspiciousName | A segment has either an invalid string as a name or an unusual non-standard name. This may indicate post-compilation tampering or the use of packers or obfuscators. |
SegmentSuspiciousSize | The segment size is significantly different from the size of all content sections within. This may indicate the use of an unreferenced area or the reservation of space for runtime unpacking of malicious code. |
SelfExtraction | The file seems to be a self-extracting archive. Malware frequently uses this tactic to obfuscate their true intentions. |
ServiceDLL | The file seems to be a service DLL. Service DLLs are loaded in the svchost.exe process and are a common persistence methodology for malware. |
StringJsSplitting | The file contains suspicious JS tokens. |
SWFinAppendedSpace | The file contains a shockwave flash object that does not belong in the document structure. |
TempFileImports | The file imports functions used to access and manipulate temporary files. Malware does this because temporary files tend to avoid detection. |
UsesCompression | The file seems to have portions of the code that appear to be compressed. Malware uses these techniques to avoid detection. |
VirtualProtectImports | The file imports functions that are used to modify the memory of a running process. Malware does this to inject itself into running processes. |
XoredHeader | The file contains an xor-obfuscated PE header that may be a hidden malicious payload. |
XoredKernel32 | The file contains an xor-obfuscated reference to kernel32.dll, a library that may be used by a malicious payload. |
XoredMscoree | The file contains an xor-obfuscated reference to mscoree.dll, a library that may be used by a malicious payload. |
XoredMsvbvm | The file contains an xor-obfuscated reference to msvbvm.dll, a library that may be used by a malicious payload compiled for Microsoft Visual Basic 6. |