List of anomalies
This help page describes all anomalies currently implemented inside Malcat’s Anomaly scanner.
Note
This list has been automatically generated on 2023-04-27 15:05:37.
Code
AutoExecLabel
- level
ERROR
- category
code
- filetype
Office.Workbook8
- architecture
- defined in
data/anomalies/Workbook8.py
Contains a macro which will be executed automatically
HasFormula
- level
WARN
- category
code
- filetype
Office.Workbook8
- architecture
- defined in
data/anomalies/Workbook8.py
Excel documents contains macros
HugeFormula
- level
WARN
- category
code
- filetype
Office.Workbook8
- architecture
- defined in
data/anomalies/Workbook8.py
Excel document contains a large and complex macro
CrossSectionJump
- level
ERROR
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
Control flow jumps across section, could be a packed file, a patched file or a file infector
EntryPointInNonExecRegion
- level
ERROR
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
EntryPoint symbol is set and points to a non-executable region
HighXrefLoopingFunction
- level
TRACE
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
Function contains a loop and has a lot of incoming references (string decryption candidate)
HugeFunctionGapAtSectionBoundary
- level
ODD
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
There is a huge gap between start/end of executable section and first/last function of a section with medium-to-high entropy (which is not a know structure). It often means that data is stored there
HugeGapBetweenFunctions
- level
ODD
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
There is a huge gap between two functions with medium-to-high entropy, often means that data is stored there
NonAsciiFunctionName
- level
WARN
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
function with non-ascii names, used by some packers
SequentialFunction
- level
TRACE
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
function with very little intra jumps and calls, usually a crypto function, unrolled loops or data initialisation
SpaghettiFunction
- level
TRACE
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
Function with lots of intra jumps, could be obfuscated
StackArrayInitialisationX64
- level
WARN
- category
code
- filetype
- architecture
X64
- defined in
data/anomalies/code.py
An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings
StackArrayInitialisationX86
- level
WARN
- category
code
- filetype
- architecture
X86
- defined in
data/anomalies/code.py
An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings
XorInLoop
- level
WARN
- category
code
- filetype
- architecture
- defined in
data/anomalies/code.py
XOR instruction in a loop
ContainsJavascript
- level
ERROR
- category
code
- filetype
PDF
- architecture
- defined in
data/anomalies/PDF.py
PDF file contains javascript code.
OpenAction
- level
ODD
- category
code
- filetype
PDF
- architecture
- defined in
data/anomalies/PDF.py
PDF file defines an action to be executed when document is opened.
DangerousProgram
- level
WARN
- category
code
- filetype
LNK
- architecture
- defined in
data/anomalies/LNK.py
Shortcuts points to a dangerous program
EmptyVbaProjectStream
- level
ERROR
- category
code
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
The _VBAPROJECT stream is empty, a sign of VBA Purging
HasVisualBasicProject
- level
ERROR
- category
code
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
Document contains a visual basic project
VbaModuleWithoutPerformanceCache
- level
ERROR
- category
code
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
The size of the performance cache of a VBA module is zero, a sign of VBA Purging
Headers
DemoAce
- level
WARN
- category
headers
- filetype
ACE
- architecture
- defined in
data/anomalies/ACE.py
Packed using a demo version of the ACE compressor
LocalFileAndCentralDirectoryFieldDifferent
- level
ERROR
- category
headers
- filetype
ZIP
- architecture
- defined in
data/anomalies/ZIP.py
a local file header field is different than the corresponding central directory field
UnknownPkzipVersion
- level
ODD
- category
headers
- filetype
ZIP
- architecture
- defined in
data/anomalies/ZIP.py
File version is zero
ObjectStream
- level
ODD
- category
headers
- filetype
PDF
- architecture
- defined in
data/anomalies/PDF.py
A stream containing PDF objects. It is a standard PDF feature, but it could hide objects from static signatures. You should unpack this stream.
DataBetweenHeaderAndFirstSection
- level
WARN
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
There is non-zero data between the PE header and the first section
EmptyDebugPath
- level
ERROR
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
debug path is empty (most likely tampered)
GuiSubsystemNoWindowApi
- level
ODD
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A GUI windows application does not import any user32 window-related function
PeHeaderAfterFirstSection
- level
WARN
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
The PE header structure is located after the first section’s physical address
SectionTableAfterFirstSection
- level
WARN
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
The section table is located after the first section’s physical address
WeirdDebugInfoType
- level
WARN
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
the Debug infos are not in the usual format
WeirdNumberOfRvaAndSizes
- level
ERROR
- category
headers
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
the field NumberOfRvaAndSizes has a weird value
CLRDuplicatedStream
- level
ERROR
- category
headers
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Stream name is not unique (confuser)
CLRMetadataHeaderExtraDword
- level
ERROR
- category
headers
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Extra dword present in #~ header (confuser)
UnusualMetadataTable
- level
ERROR
- category
headers
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Obsolete metadata table name has been found
UnusualStreamName
- level
ERROR
- category
headers
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Stream with unusual name has been found
OddSize
- level
ODD
- category
headers
- filetype
- architecture
- defined in
data/anomalies/images.py
Width or height of image is odd
TargetChanged
- level
ERROR
- category
headers
- filetype
LNK
- architecture
- defined in
data/anomalies/LNK.py
The target specified in the property store is not the same as the current lnk target. It was most likely changed after .lnk creation
DeletedDirectoryEntry
- level
ODD
- category
headers
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
a non-final direcotry entry is unallocated
NonAsciiDirectoryName
- level
WARN
- category
headers
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
the name of a dirctory entry is not ascii
Strings
BigStringHiScore
- level
WARN
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string has more than 256 characters and high interest score
DynamicDllString
- level
ERROR
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string is constructed dynamically and is a windows DLL name, most likely used by some malicious shellcode
DynamicString
- level
WARN
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string is constructed dynamically
FewStrings
- level
ODD
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
file does not have many identified strings (less than 1% of the file is composed of strings)
HugeStringBase64
- level
ERROR
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string has more than 4096 characters and base64 encoding
HugeStringBinary
- level
ERROR
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string has more than 1024 characters and binary encoding
HugeStringHexa
- level
ERROR
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string has more than 1024 characters and hexa encoding
ManyBase64Strings
- level
WARN
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
contains many b64 strings
VeryHugeString
- level
ODD
- category
strings
- filetype
- architecture
- defined in
data/anomalies/strings.py
string has more than 65k characters
NoUserString
- level
ERROR
- category
strings
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
No user string could be found
Entropy
BssNonEmpty
- level
WARN
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/misc.py
Bss Region/section is not empty
HighEntropy
- level
ODD
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/misc.py
File has high entropy overall (> 200)
RegionHighEntropy
- level
TRACE
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/misc.py
Region/section has high entropy overall (> 200)
UnknownOverlayMediumToHighEntropy
- level
WARN
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/misc.py
File contains an overlay which is not of known type and has medium-to-high entropy
BloatedExecutableFile
- level
WARN
- category
entropy
- filetype
ZIP
- architecture
- defined in
data/anomalies/ZIP.py
ZIP file contains an executable which has a huge compression ratio > 20x (most likely to abuse sandbox upload size limit)
BigBufferNoXrefMediumToHighEntropy
- level
WARN
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/xref.py
a medium-to-high-entropy 10KB+ buffer, which is not part of a known structure and has no cross-reference inside: most likely a big crypto data block. File must have at least one function for this anomaly to run
BmpHighEntropy
- level
ERROR
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/subobjects.py
More than 10% of the file is composed of a high-entropy picture
SingleBigPictureHighEntropy
- level
ODD
- category
entropy
- filetype
- architecture
- defined in
data/anomalies/subobjects.py
More than 10% of the file is composed of a high-entropy picture
Packers
MultiplePackers
- level
ERROR
- category
packers
- filetype
- architecture
- defined in
data/anomalies/misc.py
File is packed using multiple packers, very suspicious
Packed
- level
ODD
- category
packers
- filetype
- architecture
- defined in
data/anomalies/misc.py
File is packed using a legit or less-legit obfuscator
Debug
GoNoPclnTable
- level
ERROR
- category
debug
- filetype
PE
- architecture
- defined in
data/anomalies/golang.py
File is a golang executable but no golang pcln table could be found (maybe stripped / modified)
Embedding
ExeInAce
- level
ERROR
- category
embedding
- filetype
ACE
- architecture
- defined in
data/anomalies/ACE.py
ACE is an outdated compression format. An archive containing executables is most likely malware
VBFormMostlyPicture
- level
ERROR
- category
embedding
- filetype
PE
- architecture
PCODE
- defined in
data/anomalies/vb.py
a VB form is composed mostly of a single 10KB+ picture. Some obfuscators put the payload inside form pictures
EmbeddedFile
- level
ERROR
- category
embedding
- filetype
PDF
- architecture
- defined in
data/anomalies/subobjects.py
Pdf file contains a fils as attachment
EmbeddedProgram
- level
WARN
- category
embedding
- filetype
- architecture
- defined in
data/anomalies/subobjects.py
File embeds a program
WayMorePicturesThanWordText
- level
TRACE
- category
embedding
- filetype
Office.Word
- architecture
- defined in
data/anomalies/subobjects.py
The ratio text size/pictures size < 0.1
EmbeddedFileNonPicture
- level
ERROR
- category
embedding
- filetype
ONE
- architecture
- defined in
data/anomalies/ONE.py
OneNote document embeds a file which is not a recognized picture
HasOverlay
- level
ERROR
- category
embedding
- filetype
LNK
- architecture
- defined in
data/anomalies/LNK.py
Shortcut has overlay
OleNative
- level
ERROR
- category
embedding
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
file embedds an OLE object
Resources
BigResourceHighEntropy
- level
ODD
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/resources.py
File contain a big resource (10% of the file or > 10K) high-entropy resource
HugeResource
- level
TRACE
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/resources.py
More than 33% of the file is composed of non-zero-entropy 10kb+ resource
NonAsciiResourceName
- level
WARN
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/resources.py
File contains resources with non-ascii names, used by some packers
ExtraSpaceAfterResourcesDataDirectory
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
extra physical data in rsrc section after resource directory data
ExtraSpaceBeforeResourcesDataDirectory
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
extra physical data in rsrc section before resource directory data
InvalidVersionInfoKey
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A version information key is wrong
PictureResourceWrongType
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A ICO/BMP/PNG/JPEG resource entry does not contain a valid image file (or only partially)
RcdataNoDelphi
- level
ODD
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
File contains a rcdata resource and is not a delphi application
ResourceDirectoryGap
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
There is a space (bigger than 15 bytes) inside the resource directory region which is not occupied by a resource
UnknownResourceLanguage
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A resource language is not standard
UnknownRootResourceDirectoryId
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A root resource directory ID is not standard
UnparsedVersionInfo
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Version informations were not fully parsed
UnsupportedFixedVersionValue
- level
ERROR
- category
resources
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
A field in fixed version info has an unkown/unsupported value, may indicate version info tampering
Imports
VBExternalApi
- level
WARN
- category
imports
- filetype
PE
- architecture
X86]
- defined in
data/anomalies/vb.py
VB project uses external Win32 APIs (most likely via DllFunctionCall)
CryptoApiUsage
- level
ODD
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/symbols.py
Crypto-related apis are used
DelayImports
- level
WARN
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/symbols.py
There are delay imports
DotnetCryptoApiUsage
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/symbols.py
Assembly uses typical method for encrypting/decrypting stuff
DotnetDownloaderApiUsage
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/symbols.py
Assembly uses typical method for downloading stuff
DotnetDynamicLoadingApiUsage
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/symbols.py
Assembly uses typical method for dynamic code loading
DownloaderApiUsage
- level
ODD
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/symbols.py
Downloader-related apis are used
PossibleDownloaderApiDynamicImport
- level
ERROR
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/symbols.py
A downloader-related api (recv, InternetConnect, etc.) is present as string in the binary, but is not imported
PossiblePackerApiDynamicImport
- level
ERROR
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/symbols.py
A packer-related api (VirtualProtect, ResumeThread, etc.) is present as string in the binary, but is not imported
UnreferencedImports
- level
WARN
- category
imports
- filetype
- architecture
- defined in
data/anomalies/xref.py
More than half of the imports are not referenced, it could mean that the APIs are just decoys, or that the file is packed
EmptyImportTable
- level
ERROR
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Import Table is empty (no valid thunk)
NoImportTable
- level
ERROR
- category
imports
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
no valid Import Table found
DynamicAssemblyLoadingApi
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Extra dword present in #~ header (confuser)
ExternalModule
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Assembly uses external modules
NativeMethods
- level
WARN
- category
imports
- filetype
PE
- architecture
DOTNET
- defined in
data/anomalies/dotnet.py
Assembly imports native methods
Time
FileTimeIsZero
- level
TRACE
- category
time
- filetype
ZIP
- architecture
- defined in
data/anomalies/ZIP.py
a file/central directory time is zero
DebugTimeDateStampInTheFuture
- level
ERROR
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Debug TimeDateStamp is in the future
DebugTimeDifferentThanTimeDateStamp
- level
WARN
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Difference between PE TimeDateStamp and Debug TimeDateStamp is bigger than 1 year (and both are sets)
ExportTimeDateStampInTheFuture
- level
ERROR
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Export TimeDateStamp is in the future
ExportTimeDifferentThanTimeDateStamp
- level
ODD
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Difference between PE TimeDateStamp and export TimeDateStamp is bigger than 10 minutes (and both are sets)
TimeDateStampInTheFuture
- level
ERROR
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
PE TimeDateStamp is in the future
TimeDateStampZero
- level
TRACE
- category
time
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
PE TimeDateStamp is not set
DirectoryTimeStampInTheFuture
- level
ERROR
- category
time
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
Directory Timestamp is in the future
Sections
CodeSectionNotExecutable
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
code section is not executable
DllNoRelocation
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
dll has no relocation information
DuplicatedSectionName
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
section name has already been used before in section table
ExecutableSectionNoCode
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
executable section has the flag code not set
InvalidBaseOfCode
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
at least one code section starts before BaseOfCode, or BaseOfCode is not the start of a code section
InvalidBaseOfData
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
at least one data section starts before BaseOfData, or BaseOfData is not the start of a data section
InvalidSizeOfCode
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
SizeofCode is not the sum of all code sections (raw or virtual)
InvalidSizeOfInitializedData
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
SizeOfInitializedData is not the sum of all ininitalized data sections (raw or virtual)
InvalidSizeOfUninitializedData
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
SizeOfUninitializedData is not the sum of all uninitalized data sections (raw or virtual)
LotsOfSections
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
more than 96 sections (Windows XP’s maximum) in PE
PointerToRawDataNotAligned
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
PointerToRawData is not aligned to FileAlignment
PurelyPhysicalSection
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
a section is physical-only and will thus not be mapped in memory
PurelyVirtualExecutableSection
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
a section is virtual-only and executable (packer?)
RelocSectionNoRelocation
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
.reloc section does not contains relocations
RelocationsNotInRelocSection
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
relocations are not in .reloc
SectionEmptyName
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
section name is null
SectionGap
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
there is a physical gap between two sections
SectionMostlyVirtual
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
section is composed of mostly virtual space
SectionNameUnknown
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
section name is not one of the typical PE section name
SectionReservedCharacteritics
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
reserved flags are set in the section characteristic
SectionWX
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
section is executable and writeable
SectionWeirdRights
- level
WARN
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
sections has a standard name but the sections rights are not the usual ones (like .text not having +X”)
SizeOfRawDataNotAligned
- level
ERROR
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
SizeOfRawData is not aligned to FileAlignment
UnbalancedVirtualPhysicalRatio
- level
TRACE
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
huge difference between the physical and virtual size of a section
WeirdFileAlignment
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
FileAlignment is not 512 nor 4096
WeirdSectionAlignment
- level
ODD
- category
sections
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
SectionAlignment is not 4096 nor 8192
StrippedSections
- level
WARN
- category
sections
- filetype
ELF
- architecture
- defined in
data/anomalies/ELF.py
sections have been stripped
Exports
DllNoExportTable
- level
ERROR
- category
exports
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
no valid ExportDirectory found and PE is a DLL
EmptyExportTable
- level
ERROR
- category
exports
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Export Table is empty (no valid export but ExportDirectory found)
Integrity
InvalidChecksum
- level
ERROR
- category
integrity
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
PE Header checksum is wrong
NoChecksum
- level
TRACE
- category
integrity
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
PE Header checksum is not set
NoValidCertificate
- level
ERROR
- category
integrity
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Certificate data directory does not point to a valid certificate (maybe corrupted ?)
TruncatedFile
- level
ERROR
- category
integrity
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
some or all section bytes are not present on disk (Windows may not load it)
UnsignedMicrosoft
- level
ERROR
- category
integrity
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Version information tells us it is a microsoft file but no certificate has been found
Rich
RichExportNoExportTable
- level
WARN
- category
rich
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
export entry in rich header but no export table present
RichMultipleLinkers
- level
WARN
- category
rich
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
multiple linker entries in rich header
RichUnknownTool
- level
ODD
- category
rich
- filetype
PE
- architecture
- defined in
data/anomalies/PE.py
Tool entry is not known (either a new version or has been patched)
Metadata
CreatedInsideVirtualMachine
- level
WARN
- category
metadata
- filetype
LNK
- architecture
- defined in
data/anomalies/LNK.py
According to tracker data, the .lnk file was generated inside a VM
Cryptography
EncryptedRegion
- level
WARN
- category
cryptography
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
File is encrypted
Exploit
VulnerableFileType
- level
ERROR
- category
exploit
- filetype
CFB
- architecture
- defined in
data/anomalies/CFB.py
File type is know to be exploited in the wild