Shellcodes
These indicators represent situations where a small piece of code is used as the payload in the exploitation of a software vulnerability. It is called shellcode because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.
Indicator | Description |
|---|---|
ApiHashing | The file contains a byte sequence that looks like shellcode that tries to stealthily find library APIs loaded in memory. |
BlackholeV2 | The file looks like it might have come from the Blackhole exploit kit. |
ComplexGotoEmbed | The file may be able to force the browser to go to an address or to perform an action. |
ComplexSuspiciousHeaderLocation | The PDF header is located at a non-zero offset which may indicate an attempt to prevent this file from being recognized as a PDF document. |
EmbeddedTiff | The file may contain a crafted TIFF image with nop-sled to facilitate exploitation. |
EmbeddedXDP | The file likely contains another PDF as an XML Data Package (XDP). |
FindKernel32Base1 | The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
FindKernel32Base2 | The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
FindKernel32Base3 | The file contains a byte sequence that looks like a shellcode that tries to locate kernel32.dll in memory. |
FunctionPrologSig | The file contains a byte sequence that is a typical function prolog, and likely contains shellcode. |
GetEIP1 | The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation. |
GetEIP4 | The file contains a byte sequence that looks like a shellcode that resolves its own address to locate other things in memory and facilitate exploitation. |
IndirectFnCall1 | The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
IndirectFnCall2 | The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
IndirectFnCall3 | The file contains a byte sequence that looks like an indirect function call, and is likely shellcode. |
SehSig | The file contains a byte sequence that is typical for Structured Exception Handling (SEH), and likely contains shellcode. |
StringLaunchActionBrowser | The file may be able to force the browser to go to an address or to perform an action. |
StringLaunchActionShell | The file may be able to execute shell actions. |
StringSingExploit | The file might contain an exploit. |