List of anomalies

This help page describes all anomalies currently implemented inside Malcat’s Anomaly scanner.

Note

This list has been automatically generated on 2023-04-27 15:05:37.

Code

AutoExecLabel

level

ERROR

category

code

filetype

Office.Workbook8

architecture

defined in

data/anomalies/Workbook8.py

Contains a macro which will be executed automatically

HasFormula

level

WARN

category

code

filetype

Office.Workbook8

architecture

defined in

data/anomalies/Workbook8.py

Excel documents contains macros

HugeFormula

level

WARN

category

code

filetype

Office.Workbook8

architecture

defined in

data/anomalies/Workbook8.py

Excel document contains a large and complex macro

CrossSectionJump

level

ERROR

category

code

filetype

architecture

defined in

data/anomalies/code.py

Control flow jumps across section, could be a packed file, a patched file or a file infector

EntryPointInNonExecRegion

level

ERROR

category

code

filetype

architecture

defined in

data/anomalies/code.py

EntryPoint symbol is set and points to a non-executable region

HighXrefLoopingFunction

level

TRACE

category

code

filetype

architecture

defined in

data/anomalies/code.py

Function contains a loop and has a lot of incoming references (string decryption candidate)

HugeFunctionGapAtSectionBoundary

level

ODD

category

code

filetype

architecture

defined in

data/anomalies/code.py

There is a huge gap between start/end of executable section and first/last function of a section with medium-to-high entropy (which is not a know structure). It often means that data is stored there

HugeGapBetweenFunctions

level

ODD

category

code

filetype

architecture

defined in

data/anomalies/code.py

There is a huge gap between two functions with medium-to-high entropy, often means that data is stored there

NonAsciiFunctionName

level

WARN

category

code

filetype

architecture

defined in

data/anomalies/code.py

function with non-ascii names, used by some packers

SequentialFunction

level

TRACE

category

code

filetype

architecture

defined in

data/anomalies/code.py

function with very little intra jumps and calls, usually a crypto function, unrolled loops or data initialisation

SpaghettiFunction

level

TRACE

category

code

filetype

architecture

defined in

data/anomalies/code.py

Function with lots of intra jumps, could be obfuscated

StackArrayInitialisationX64

level

WARN

category

code

filetype

architecture

X64

defined in

data/anomalies/code.py

An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings

StackArrayInitialisationX86

level

WARN

category

code

filetype

architecture

X86

defined in

data/anomalies/code.py

An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings

XorInLoop

level

WARN

category

code

filetype

architecture

defined in

data/anomalies/code.py

XOR instruction in a loop

ContainsJavascript

level

ERROR

category

code

filetype

PDF

architecture

defined in

data/anomalies/PDF.py

PDF file contains javascript code.

HiddenOpenAction

level

ERROR

category

code

filetype

PDF

architecture

defined in

data/anomalies/PDF.py

PDF file defines an action to be executed when document is opened, and action object is not visible (most likely hidden in an ObjStm)

OpenAction

level

ODD

category

code

filetype

PDF

architecture

defined in

data/anomalies/PDF.py

PDF file defines an action to be executed when document is opened.

DangerousProgram

level

WARN

category

code

filetype

LNK

architecture

defined in

data/anomalies/LNK.py

Shortcuts points to a dangerous program

EmptyVbaProjectStream

level

ERROR

category

code

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

The _VBAPROJECT stream is empty, a sign of VBA Purging

HasVisualBasicProject

level

ERROR

category

code

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

Document contains a visual basic project

VbaModuleWithoutPerformanceCache

level

ERROR

category

code

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

The size of the performance cache of a VBA module is zero, a sign of VBA Purging

Headers

HasHiddenSheet

level

ERROR

category

headers

filetype

Office.Workbook8

architecture

defined in

data/anomalies/Workbook8.py

Excel document contains a hidden or very hidden sheet

DemoAce

level

WARN

category

headers

filetype

ACE

architecture

defined in

data/anomalies/ACE.py

Packed using a demo version of the ACE compressor

LocalFileAndCentralDirectoryFieldDifferent

level

ERROR

category

headers

filetype

ZIP

architecture

defined in

data/anomalies/ZIP.py

a local file header field is different than the corresponding central directory field

UnknownPkzipVersion

level

ODD

category

headers

filetype

ZIP

architecture

defined in

data/anomalies/ZIP.py

File version is zero

ObjectStream

level

ODD

category

headers

filetype

PDF

architecture

defined in

data/anomalies/PDF.py

A stream containing PDF objects. It is a standard PDF feature, but it could hide objects from static signatures. You should unpack this stream.

DataBetweenHeaderAndFirstSection

level

WARN

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

There is non-zero data between the PE header and the first section

EmptyDebugPath

level

ERROR

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

debug path is empty (most likely tampered)

GuiSubsystemNoWindowApi

level

ODD

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

A GUI windows application does not import any user32 window-related function

PeHeaderAfterFirstSection

level

WARN

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

The PE header structure is located after the first section’s physical address

SectionTableAfterFirstSection

level

WARN

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

The section table is located after the first section’s physical address

WeirdDebugInfoType

level

WARN

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

the Debug infos are not in the usual format

WeirdNumberOfRvaAndSizes

level

ERROR

category

headers

filetype

PE

architecture

defined in

data/anomalies/PE.py

the field NumberOfRvaAndSizes has a weird value

CLRDuplicatedStream

level

ERROR

category

headers

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Stream name is not unique (confuser)

CLRMetadataHeaderExtraDword

level

ERROR

category

headers

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Extra dword present in #~ header (confuser)

UnusualMetadataTable

level

ERROR

category

headers

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Obsolete metadata table name has been found

UnusualStreamName

level

ERROR

category

headers

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Stream with unusual name has been found

OddSize

level

ODD

category

headers

filetype

architecture

defined in

data/anomalies/images.py

Width or height of image is odd

Hidden

level

WARN

category

headers

filetype

LNK

architecture

defined in

data/anomalies/LNK.py

Command window is hidden at startup

TargetChanged

level

ERROR

category

headers

filetype

LNK

architecture

defined in

data/anomalies/LNK.py

The target specified in the property store is not the same as the current lnk target. It was most likely changed after .lnk creation

DeletedDirectoryEntry

level

ODD

category

headers

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

a non-final direcotry entry is unallocated

NonAsciiDirectoryName

level

WARN

category

headers

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

the name of a dirctory entry is not ascii

Strings

BigStringHiScore

level

WARN

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string has more than 256 characters and high interest score

DynamicDllString

level

ERROR

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string is constructed dynamically and is a windows DLL name, most likely used by some malicious shellcode

DynamicString

level

WARN

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string is constructed dynamically

FewStrings

level

ODD

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

file does not have many identified strings (less than 1% of the file is composed of strings)

HugeStringBase64

level

ERROR

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string has more than 4096 characters and base64 encoding

HugeStringBinary

level

ERROR

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string has more than 1024 characters and binary encoding

HugeStringHexa

level

ERROR

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string has more than 1024 characters and hexa encoding

ManyBase64Strings

level

WARN

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

contains many b64 strings

VeryHugeString

level

ODD

category

strings

filetype

architecture

defined in

data/anomalies/strings.py

string has more than 65k characters

NoUserString

level

ERROR

category

strings

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

No user string could be found

Entropy

BssNonEmpty

level

WARN

category

entropy

filetype

architecture

defined in

data/anomalies/misc.py

Bss Region/section is not empty

HighEntropy

level

ODD

category

entropy

filetype

architecture

defined in

data/anomalies/misc.py

File has high entropy overall (> 200)

RegionHighEntropy

level

TRACE

category

entropy

filetype

architecture

defined in

data/anomalies/misc.py

Region/section has high entropy overall (> 200)

UnknownOverlayMediumToHighEntropy

level

WARN

category

entropy

filetype

architecture

defined in

data/anomalies/misc.py

File contains an overlay which is not of known type and has medium-to-high entropy

BloatedExecutableFile

level

WARN

category

entropy

filetype

ZIP

architecture

defined in

data/anomalies/ZIP.py

ZIP file contains an executable which has a huge compression ratio > 20x (most likely to abuse sandbox upload size limit)

BigBufferNoXrefMediumToHighEntropy

level

WARN

category

entropy

filetype

architecture

defined in

data/anomalies/xref.py

a medium-to-high-entropy 10KB+ buffer, which is not part of a known structure and has no cross-reference inside: most likely a big crypto data block. File must have at least one function for this anomaly to run

BmpHighEntropy

level

ERROR

category

entropy

filetype

architecture

defined in

data/anomalies/subobjects.py

More than 10% of the file is composed of a high-entropy picture

SingleBigPictureHighEntropy

level

ODD

category

entropy

filetype

architecture

defined in

data/anomalies/subobjects.py

More than 10% of the file is composed of a high-entropy picture

Packers

MultiplePackers

level

ERROR

category

packers

filetype

architecture

defined in

data/anomalies/misc.py

File is packed using multiple packers, very suspicious

Packed

level

ODD

category

packers

filetype

architecture

defined in

data/anomalies/misc.py

File is packed using a legit or less-legit obfuscator

Debug

GoNoPclnTable

level

ERROR

category

debug

filetype

PE

architecture

defined in

data/anomalies/golang.py

File is a golang executable but no golang pcln table could be found (maybe stripped / modified)

Embedding

ExeInAce

level

ERROR

category

embedding

filetype

ACE

architecture

defined in

data/anomalies/ACE.py

ACE is an outdated compression format. An archive containing executables is most likely malware

VBFormMostlyPicture

level

ERROR

category

embedding

filetype

PE

architecture

PCODE

defined in

data/anomalies/vb.py

a VB form is composed mostly of a single 10KB+ picture. Some obfuscators put the payload inside form pictures

EmbeddedFile

level

ERROR

category

embedding

filetype

PDF

architecture

defined in

data/anomalies/subobjects.py

Pdf file contains a fils as attachment

EmbeddedProgram

level

WARN

category

embedding

filetype

architecture

defined in

data/anomalies/subobjects.py

File embeds a program

WayMorePicturesThanWordText

level

TRACE

category

embedding

filetype

Office.Word

architecture

defined in

data/anomalies/subobjects.py

The ratio text size/pictures size < 0.1

EmbeddedFileNonPicture

level

ERROR

category

embedding

filetype

ONE

architecture

defined in

data/anomalies/ONE.py

OneNote document embeds a file which is not a recognized picture

HasOverlay

level

ERROR

category

embedding

filetype

LNK

architecture

defined in

data/anomalies/LNK.py

Shortcut has overlay

OleNative

level

ERROR

category

embedding

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

file embedds an OLE object

Resources

BigResourceHighEntropy

level

ODD

category

resources

filetype

PE

architecture

defined in

data/anomalies/resources.py

File contain a big resource (10% of the file or > 10K) high-entropy resource

HugeResource

level

TRACE

category

resources

filetype

PE

architecture

defined in

data/anomalies/resources.py

More than 33% of the file is composed of non-zero-entropy 10kb+ resource

NonAsciiResourceName

level

WARN

category

resources

filetype

PE

architecture

defined in

data/anomalies/resources.py

File contains resources with non-ascii names, used by some packers

ExtraSpaceAfterResourcesDataDirectory

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

extra physical data in rsrc section after resource directory data

ExtraSpaceBeforeResourcesDataDirectory

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

extra physical data in rsrc section before resource directory data

InvalidVersionInfoKey

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

A version information key is wrong

PictureResourceWrongType

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

A ICO/BMP/PNG/JPEG resource entry does not contain a valid image file (or only partially)

RcdataNoDelphi

level

ODD

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

File contains a rcdata resource and is not a delphi application

ResourceDirectoryGap

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

There is a space (bigger than 15 bytes) inside the resource directory region which is not occupied by a resource

UnknownResourceLanguage

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

A resource language is not standard

UnknownRootResourceDirectoryId

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

A root resource directory ID is not standard

UnparsedVersionInfo

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

Version informations were not fully parsed

UnsupportedFixedVersionValue

level

ERROR

category

resources

filetype

PE

architecture

defined in

data/anomalies/PE.py

A field in fixed version info has an unkown/unsupported value, may indicate version info tampering

Imports

VBExternalApi

level

WARN

category

imports

filetype

PE

architecture

X86]

defined in

data/anomalies/vb.py

VB project uses external Win32 APIs (most likely via DllFunctionCall)

CryptoApiUsage

level

ODD

category

imports

filetype

PE

architecture

defined in

data/anomalies/symbols.py

Crypto-related apis are used

DelayImports

level

WARN

category

imports

filetype

PE

architecture

defined in

data/anomalies/symbols.py

There are delay imports

DotnetCryptoApiUsage

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/symbols.py

Assembly uses typical method for encrypting/decrypting stuff

DotnetDownloaderApiUsage

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/symbols.py

Assembly uses typical method for downloading stuff

DotnetDynamicLoadingApiUsage

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/symbols.py

Assembly uses typical method for dynamic code loading

DownloaderApiUsage

level

ODD

category

imports

filetype

PE

architecture

defined in

data/anomalies/symbols.py

Downloader-related apis are used

PossibleDownloaderApiDynamicImport

level

ERROR

category

imports

filetype

PE

architecture

defined in

data/anomalies/symbols.py

A downloader-related api (recv, InternetConnect, etc.) is present as string in the binary, but is not imported

PossiblePackerApiDynamicImport

level

ERROR

category

imports

filetype

PE

architecture

defined in

data/anomalies/symbols.py

A packer-related api (VirtualProtect, ResumeThread, etc.) is present as string in the binary, but is not imported

UnreferencedImports

level

WARN

category

imports

filetype

architecture

defined in

data/anomalies/xref.py

More than half of the imports are not referenced, it could mean that the APIs are just decoys, or that the file is packed

EmptyImportTable

level

ERROR

category

imports

filetype

PE

architecture

defined in

data/anomalies/PE.py

Import Table is empty (no valid thunk)

NoImportTable

level

ERROR

category

imports

filetype

PE

architecture

defined in

data/anomalies/PE.py

no valid Import Table found

DynamicAssemblyLoadingApi

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Extra dword present in #~ header (confuser)

ExternalModule

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Assembly uses external modules

NativeMethods

level

WARN

category

imports

filetype

PE

architecture

DOTNET

defined in

data/anomalies/dotnet.py

Assembly imports native methods

Time

FileTimeIsZero

level

TRACE

category

time

filetype

ZIP

architecture

defined in

data/anomalies/ZIP.py

a file/central directory time is zero

DebugTimeDateStampInTheFuture

level

ERROR

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

Debug TimeDateStamp is in the future

DebugTimeDifferentThanTimeDateStamp

level

WARN

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

Difference between PE TimeDateStamp and Debug TimeDateStamp is bigger than 1 year (and both are sets)

ExportTimeDateStampInTheFuture

level

ERROR

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

Export TimeDateStamp is in the future

ExportTimeDifferentThanTimeDateStamp

level

ODD

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

Difference between PE TimeDateStamp and export TimeDateStamp is bigger than 10 minutes (and both are sets)

TimeDateStampInTheFuture

level

ERROR

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

PE TimeDateStamp is in the future

TimeDateStampZero

level

TRACE

category

time

filetype

PE

architecture

defined in

data/anomalies/PE.py

PE TimeDateStamp is not set

DirectoryTimeStampInTheFuture

level

ERROR

category

time

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

Directory Timestamp is in the future

Sections

CodeSectionNotExecutable

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

code section is not executable

DllNoRelocation

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

dll has no relocation information

DuplicatedSectionName

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

section name has already been used before in section table

ExecutableSectionNoCode

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

executable section has the flag code not set

InvalidBaseOfCode

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

at least one code section starts before BaseOfCode, or BaseOfCode is not the start of a code section

InvalidBaseOfData

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

at least one data section starts before BaseOfData, or BaseOfData is not the start of a data section

InvalidSizeOfCode

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

SizeofCode is not the sum of all code sections (raw or virtual)

InvalidSizeOfInitializedData

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

SizeOfInitializedData is not the sum of all ininitalized data sections (raw or virtual)

InvalidSizeOfUninitializedData

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

SizeOfUninitializedData is not the sum of all uninitalized data sections (raw or virtual)

LotsOfSections

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

more than 96 sections (Windows XP’s maximum) in PE

PointerToRawDataNotAligned

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

PointerToRawData is not aligned to FileAlignment

PurelyPhysicalSection

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

a section is physical-only and will thus not be mapped in memory

PurelyVirtualExecutableSection

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

a section is virtual-only and executable (packer?)

RelocSectionNoRelocation

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

.reloc section does not contains relocations

RelocationsNotInRelocSection

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

relocations are not in .reloc

SectionEmptyName

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

section name is null

SectionGap

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

there is a physical gap between two sections

SectionMostlyVirtual

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

section is composed of mostly virtual space

SectionNameUnknown

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

section name is not one of the typical PE section name

SectionReservedCharacteritics

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

reserved flags are set in the section characteristic

SectionWX

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

section is executable and writeable

SectionWeirdRights

level

WARN

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

sections has a standard name but the sections rights are not the usual ones (like .text not having +X”)

SizeOfRawDataNotAligned

level

ERROR

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

SizeOfRawData is not aligned to FileAlignment

UnbalancedVirtualPhysicalRatio

level

TRACE

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

huge difference between the physical and virtual size of a section

WeirdFileAlignment

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

FileAlignment is not 512 nor 4096

WeirdSectionAlignment

level

ODD

category

sections

filetype

PE

architecture

defined in

data/anomalies/PE.py

SectionAlignment is not 4096 nor 8192

StrippedSections

level

WARN

category

sections

filetype

ELF

architecture

defined in

data/anomalies/ELF.py

sections have been stripped

Exports

DllNoExportTable

level

ERROR

category

exports

filetype

PE

architecture

defined in

data/anomalies/PE.py

no valid ExportDirectory found and PE is a DLL

EmptyExportTable

level

ERROR

category

exports

filetype

PE

architecture

defined in

data/anomalies/PE.py

Export Table is empty (no valid export but ExportDirectory found)

Integrity

InvalidChecksum

level

ERROR

category

integrity

filetype

PE

architecture

defined in

data/anomalies/PE.py

PE Header checksum is wrong

NoChecksum

level

TRACE

category

integrity

filetype

PE

architecture

defined in

data/anomalies/PE.py

PE Header checksum is not set

NoValidCertificate

level

ERROR

category

integrity

filetype

PE

architecture

defined in

data/anomalies/PE.py

Certificate data directory does not point to a valid certificate (maybe corrupted ?)

TruncatedFile

level

ERROR

category

integrity

filetype

PE

architecture

defined in

data/anomalies/PE.py

some or all section bytes are not present on disk (Windows may not load it)

UnsignedMicrosoft

level

ERROR

category

integrity

filetype

PE

architecture

defined in

data/anomalies/PE.py

Version information tells us it is a microsoft file but no certificate has been found

Rich

RichExportNoExportTable

level

WARN

category

rich

filetype

PE

architecture

defined in

data/anomalies/PE.py

export entry in rich header but no export table present

RichMultipleLinkers

level

WARN

category

rich

filetype

PE

architecture

defined in

data/anomalies/PE.py

multiple linker entries in rich header

RichUnknownTool

level

ODD

category

rich

filetype

PE

architecture

defined in

data/anomalies/PE.py

Tool entry is not known (either a new version or has been patched)

Metadata

CreatedInsideVirtualMachine

level

WARN

category

metadata

filetype

LNK

architecture

defined in

data/anomalies/LNK.py

According to tracker data, the .lnk file was generated inside a VM

Cryptography

EncryptedRegion

level

WARN

category

cryptography

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

File is encrypted

Exploit

VulnerableFileType

level

ERROR

category

exploit

filetype

CFB

architecture

defined in

data/anomalies/CFB.py

File type is know to be exploited in the wild