Destruction
These indicators represent situations where the file has elements that indicate capabilities or evidence of destruction. Destructive capabilities include the ability to delete system resources like files or directories.
Indicator | Description |
|---|---|
action_writeByte | The VBA script within the file is likely writing bytes to a file, which is an unusual action for a legitimate document. |
action_hexToBin | The VBA script within the file is likely using hexadecimal-to-binary conversion that may indicate decoding a hidden malicious payload. |
appended_URI | The file contains a link that does not belong in the file structure. |
appended_exploit | The file contains suspicious data outside of the file structure that may be indicative of an exploit. |
appended_macro | The file contains a macro script that does not belong in the file structure. |
appended_90_nopsled | The file contains a nop-sled that does not belong in the file structure; this is almost certainly there to facilitate exploitation. |
AutorunsPersistence | The file attempts to interact with common methods of persistence (for example, startup scripts). Malware commonly uses these tactics to attain persistence. |
DestructionString | The file has capabilities to kill processes or shut down the machine via shell commands. |
FileDirDeleteImports | The PE imports functions that can be used to delete files or directories. Malware uses this to break systems and to cover its tracks. |
JsHeapSpray | The file likely contains heap spray code. |
PossibleLocker | The file demonstrates evidence of a desire to lock out common tools by policy. Malware does this to retain persistence and make detection and cleanup more difficult. |
RegistryManipulation | The file imports functions that are used to manipulate the Windows registry. Malware does this to attain persistence, avoid detection, and for many other reasons. |
SeBackupPrivilege | The PE might attempt to read files to which it has not been granted access. The SeBackup privilege allows access to files without honoring access controls. It is frequently used by programs that handle backups and is frequently limited to administrative users, but it can be used maliciously to gain access to specific elements that might otherwise be difficult to access. |
SeDebugPrivilege | The PE might attempt to tamper with system processes. The SeDebug privilege is used to access processes other than your own and is frequently limited to administrative users. It is often paired with reading and writing to other processes. |
SeRestorePrivilege | The PE might attempt to change or delete files to which it has not been granted access. The SeRestore privilege allows writing without consideration of access control. |
ServiceControlImports | The file imports functions that can control Windows services on the current system. Malware uses this either to launch itself into the background via installing as a service, or to disable other services that may have a protective function. |
SkylinedHeapSpray | The file contains an unmodified version of skylined heap spray code. |
SpawnProcessImports | The PE imports functions that can be used to spawn another process. Malware uses this to launch subsequent phases of an infection, typically downloaded from the Internet. |
StringJsExploit | The file contains JavaScript code that is likely capable of exploitation. |
StringJsObfuscation | The file contains JavaScript obfuscation tokens. |
TerminateProcessImports | The file imports functions that can be used to stop a running process. Malware uses this to attempt to remove protection systems, or to cause damage to a running system. |
trigger_AutoClose | The VBA script within the file is likely trying to execute automatically when the file is closing. |
trigger_Auto_Close | The VBA script within the file is likely trying to execute automatically when the file is closing. |
trigger_AutoExec | The VBA script within the file is likely trying to execute automatically. |
trigger_AutoExit | The VBA script within the file is likely trying to execute automatically when the file is closing. |
trigger_AutoNew | The VBA script within the file is likely trying to execute automatically when a new file is being created. |
trigger_AutoOpen | The VBA script within the file is likely trying to execute as soon as the file is opened. |
trigger_Auto_Open | The VBA script within the file is likely trying to execute as soon as the file is opened. |
trigger_DocumentBeforeClose | The VBA script within the file is likely trying to execute automatically just before the file closes. |
trigger_DocumentChange | The VBA script within the file is likely trying to execute automatically when the file is being changed. |
trigger_Document_Close | The VBA script within the file is likely trying to execute automatically when the file is closing. |
trigger_Document_New | The VBA script within the file is likely trying to execute automatically when a new file is being created. |
trigger_DocumentOpen | The VBA script within the file is likely trying to execute as soon as the file is opened. |
trigger_Document_Open | The VBA script within the file is likely trying to execute as soon as the file is opened. |
trigger_NewDocument | The VBA script within the file is likely trying to execute automatically when a new file is being created. |
trigger_Workbook_Close | The VBA script within the file is likely trying to execute automatically when a Microsoft
Excel workbook is closing. |
trigger_Workbook_Open | The VBA script within the file is likely trying to execute automatically when a Microsoft
Excel workbook is opening. |
UserManagementImports | The file imports functions that can be used to change users on the local system. It can add, delete, or change key user details. Malware can use this capability to achieve persistence or cause harm to the local system. |
VirtualAllocImports | The file imports functions that are used to create memory in a running process. Malware does this to inject itself into a running process. |