List of anomalies

This help page describes all anomalies currently implemented inside Malcat’s Anomaly scanner.

Note

This list has been automatically generated on 2024-04-18 07:32:55.

Headers

DemoAce

level:

WARN

category:

headers

filetype:

ACE

architecture:

defined in:

data\anomalies\ACE.py

Packed using a demo version of the ACE compressor

DeletedDirectoryEntry

level:

ODD

category:

headers

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

a non-final direcotry entry is unallocated

NonAsciiDirectoryName

level:

WARN

category:

headers

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

the name of a dirctory entry is not ascii

CLRDuplicatedStream

level:

ERROR

category:

headers

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Stream name is not unique (confuser)

CLRMetadataHeaderExtraDword

level:

ERROR

category:

headers

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Extra dword present in #~ header (confuser)

UnusualMetadataTable

level:

ERROR

category:

headers

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Obsolete metadata table name has been found

UnusualStreamName

level:

ERROR

category:

headers

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Stream with unusual name has been found

OddSize

level:

ODD

category:

headers

filetype:

architecture:

defined in:

data\anomalies\images.py

Width or height of image is odd

EncryptedFiles

level:

WARN

category:

headers

filetype:

InnoSetup

architecture:

defined in:

data\anomalies\INNO.py

Some files in the archives are password encrypted

PasswordInScript

level:

ERROR

category:

headers

filetype:

InnoSetup

architecture:

defined in:

data\anomalies\INNO.py

Some files in the archives are password encrypted and the password was found inside the install script

Hidden

level:

WARN

category:

headers

filetype:

LNK

architecture:

defined in:

data\anomalies\LNK.py

Command window is hidden at startup

TargetChanged

level:

ERROR

category:

headers

filetype:

LNK

architecture:

defined in:

data\anomalies\LNK.py

The target specified in the property store is not the same as the current lnk target. It was most likely changed after .lnk creation

ObjectStream

level:

ODD

category:

headers

filetype:

PDF

architecture:

defined in:

data\anomalies\PDF.py

A stream containing PDF objects. It is a standard PDF feature, but it could hide objects from static signatures. You should unpack this stream.

DataBetweenHeaderAndFirstSection

level:

WARN

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

There is non-zero data between the PE header and the first section

EmptyDebugPath

level:

ERROR

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

debug path is empty (most likely tampered)

GuiSubsystemNoWindowApi

level:

ODD

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A GUI windows application does not import any user32 window-related function

PeHeaderAfterFirstSection

level:

WARN

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

The PE header structure is located after the first section’s physical address

SectionTableAfterFirstSection

level:

WARN

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

The section table is located after the first section’s physical address

WeirdDebugInfoType

level:

WARN

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

the Debug infos are not in the usual format

WeirdNumberOfRvaAndSizes

level:

ERROR

category:

headers

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

the field NumberOfRvaAndSizes has a weird value

HasHiddenSheet

level:

ERROR

category:

headers

filetype:

Office.Workbook8

architecture:

defined in:

data\anomalies\Workbook8.py

Excel document contains a hidden or very hidden sheet

LocalFileAndCentralDirectoryFieldDifferent

level:

ERROR

category:

headers

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

A local file header field is different than the corresponding central directory field

UnknownCompressionMethod

level:

ERROR

category:

headers

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

Compression method of one entry is unknown (sometimes used in malicious APK to evade detection)

UnknownPkzipVersion

level:

ODD

category:

headers

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

File version is zero

ZipBomb

level:

ERROR

category:

headers

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

Compression ratio > 10000% and final size > 100MB for a file

Embedding

ExeInAce

level:

ERROR

category:

embedding

filetype:

ACE

architecture:

defined in:

data\anomalies\ACE.py

ACE is an outdated compression format. An archive containing executables is most likely malware

OleExternalLink

level:

ERROR

category:

embedding

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

file embedds an OLE object referencing an external URL (maybe CVE-2017-0199)

OleNative

level:

ERROR

category:

embedding

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

file embedds an OLE object

TableExternalLink

level:

ERROR

category:

embedding

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

Word file embedds in its Table section

HasOverlay

level:

ERROR

category:

embedding

filetype:

LNK

architecture:

defined in:

data\anomalies\LNK.py

Shortcut has overlay

EmbeddedFileNonPicture

level:

ERROR

category:

embedding

filetype:

ONE

architecture:

defined in:

data\anomalies\ONE.py

OneNote document embeds a file which is not a recognized picture

EmbeddedFile

level:

ERROR

category:

embedding

filetype:

PDF

architecture:

defined in:

data\anomalies\subobjects.py

Pdf file contains a fils as attachment

EmbeddedProgram

level:

WARN

category:

embedding

filetype:

architecture:

defined in:

data\anomalies\subobjects.py

File embeds a program

WayMorePicturesThanWordText

level:

TRACE

category:

embedding

filetype:

Office.Word

architecture:

defined in:

data\anomalies\subobjects.py

The ratio text size/pictures size < 0.1

VBFormMostlyPicture

level:

ERROR

category:

embedding

filetype:

PE

architecture:

PCODE

defined in:

data\anomalies\vb.py

a VB form is composed mostly of a single 10KB+ picture. Some obfuscators put the payload inside form pictures

Time

DirectoryTimeStampInTheFuture

level:

ERROR

category:

time

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

Directory Timestamp is in the future

DebugTimeDateStampInTheFuture

level:

ERROR

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Debug TimeDateStamp is in the future

DebugTimeDifferentThanTimeDateStamp

level:

WARN

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Difference between PE TimeDateStamp and Debug TimeDateStamp is bigger than 1 year (and both are sets)

ExportTimeDateStampInTheFuture

level:

ERROR

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Export TimeDateStamp is in the future

ExportTimeDifferentThanTimeDateStamp

level:

ODD

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Difference between PE TimeDateStamp and export TimeDateStamp is bigger than 10 minutes (and both are sets)

TimeDateStampInTheFuture

level:

ERROR

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

PE TimeDateStamp is in the future

TimeDateStampZero

level:

TRACE

category:

time

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

PE TimeDateStamp is not set

FileTimeIsZero

level:

TRACE

category:

time

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

a file/central directory time is zero

Code

EmptyVbaProjectStream

level:

ERROR

category:

code

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

The _VBAPROJECT stream is empty, a sign of VBA Purging

HasVisualBasicProject

level:

ERROR

category:

code

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

Document contains a visual basic project

VbaModuleWithoutPerformanceCache

level:

ERROR

category:

code

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

The size of the performance cache of a VBA module is zero, a sign of VBA Purging

CrossSectionJump

level:

ERROR

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

Control flow jumps across section, could be a packed file, a patched file or a file infector

EntryPointInNonExecRegion

level:

ERROR

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

EntryPoint symbol is set and points to a non-executable region

HighXrefLoopingFunction

level:

TRACE

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

Function contains a loop and has a lot of incoming references (string decryption candidate)

HugeFunctionGapAtSectionBoundary

level:

ODD

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

There is a huge gap between start/end of executable section and first/last function of a section with medium-to-high entropy (which is not a know structure). It often means that data is stored there

HugeGapBetweenFunctions

level:

ODD

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

There is a huge gap between two functions with medium-to-high entropy, often means that data is stored there

ManyHighValueImmediates

level:

WARN

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

Function contains at least 5 and more than 10% of high-value immediate operands (i.e. immediate values that contains at least 2 non-zero non-FF bytes and are not a valid address)

ManyUniqueImmediateBytes

level:

WARN

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

More than 48 unique bytes defined across all immediate operands in the function

NonAsciiFunctionName

level:

WARN

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

function with non-ascii names, used by some packers

SequentialFunction

level:

TRACE

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

function with very little intra jumps and calls, usually a crypto function, unrolled loops or data initialisation

SpaghettiFunction

level:

TRACE

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

Function with lots of intra jumps, could be obfuscated

StackArrayInitialisationX64

level:

WARN

category:

code

filetype:

architecture:

X64

defined in:

data\anomalies\code.py

An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings

StackArrayInitialisationX86

level:

WARN

category:

code

filetype:

architecture:

X86

defined in:

data\anomalies\code.py

An array of data is dynamically built on the stack, sometimes used to build shellcodes or strings

XorInLoop

level:

WARN

category:

code

filetype:

architecture:

defined in:

data\anomalies\code.py

XOR instruction in a loop

DangerousProgram

level:

WARN

category:

code

filetype:

LNK

architecture:

defined in:

data\anomalies\LNK.py

Shortcuts points to a dangerous program

ContainsJavascript

level:

ERROR

category:

code

filetype:

PDF

architecture:

defined in:

data\anomalies\PDF.py

PDF file contains javascript code.

HiddenOpenAction

level:

ERROR

category:

code

filetype:

PDF

architecture:

defined in:

data\anomalies\PDF.py

PDF file defines an action to be executed when document is opened, and action object is not visible (most likely hidden in an ObjStm)

OpenAction

level:

ODD

category:

code

filetype:

PDF

architecture:

defined in:

data\anomalies\PDF.py

PDF file defines an action to be executed when document is opened.

AutoExecLabel

level:

ERROR

category:

code

filetype:

Office.Workbook8

architecture:

defined in:

data\anomalies\Workbook8.py

Contains a macro which will be executed automatically

HasFormula

level:

WARN

category:

code

filetype:

Office.Workbook8

architecture:

defined in:

data\anomalies\Workbook8.py

Excel documents contains macros

HugeFormula

level:

WARN

category:

code

filetype:

Office.Workbook8

architecture:

defined in:

data\anomalies\Workbook8.py

Excel document contains a large and complex macro

Cryptography

EncryptedRegion

level:

WARN

category:

cryptography

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

File is encrypted

EncryptedWorkbook

level:

WARN

category:

cryptography

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

Workbook is encrypted

Exploit

VulnerableFileType

level:

ERROR

category:

exploit

filetype:

CFB

architecture:

defined in:

data\anomalies\CFB.py

File type is know to be exploited in the wild

Resources

BigStaticArray

level:

ERROR

category:

resources

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

A big static array was found. Static fields are often used to store the packed paylod in obfuscated malware

ExtraSpaceAfterResourcesDataDirectory

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

extra physical data in rsrc section after resource directory data

ExtraSpaceBeforeResourcesDataDirectory

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

extra physical data in rsrc section before resource directory data

InvalidVersionInfoKey

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A version information key is wrong

PictureResourceWrongType

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A ICO/BMP/PNG/JPEG resource entry does not contain a valid image file (or only partially)

RcdataNoDelphi

level:

ODD

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

File contains a rcdata resource and is not a delphi application

ResourceDirectoryGap

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

There is a space (bigger than 15 bytes) inside the resource directory region which is not occupied by a resource

UnknownResourceLanguage

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A resource language is not standard

UnknownRootResourceDirectoryId

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A root resource directory ID is not standard

UnparsedVersionInfo

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Version informations were not fully parsed

UnsupportedFixedVersionValue

level:

ERROR

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

A field in fixed version info has an unkown/unsupported value, may indicate version info tampering

BigResourceHighEntropy

level:

ODD

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\resources.py

File contain a big resource (> 10% of the file or > 3K) high-entropy resource and is not a picture

HugeResource

level:

TRACE

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\resources.py

More than 33% of the file is composed of non-zero-entropy 10kb+ resource

NonAsciiResourceName

level:

WARN

category:

resources

filetype:

PE

architecture:

defined in:

data\anomalies\resources.py

File contains resources with non-ascii names, used by some packers

Imports

DynamicAssemblyLoadingApi

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Extra dword present in #~ header (confuser)

ExternalModule

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Assembly uses external modules

NativeMethods

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

Assembly imports native methods

DownloaderPlugin

level:

WARN

category:

imports

filetype:

InnoSetup

architecture:

defined in:

data\anomalies\INNO.py

The installer includes idp.dll, which is a plugin used to download fiels from internet. Often used by malicious downloaders

BoundImports

level:

ODD

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Bound imports are present

EmptyImportTable

level:

ERROR

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Import Table is empty (no valid thunk)

NoImportTable

level:

ERROR

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

no valid Import Table found

CryptoApiUsage

level:

ODD

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\symbols.py

Crypto-related apis are used

DelayImports

level:

WARN

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\symbols.py

There are delay imports

DotnetCryptoApiUsage

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\symbols.py

Assembly uses typical method for encrypting/decrypting stuff

DotnetDownloaderApiUsage

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\symbols.py

Assembly uses typical method for downloading stuff

DotnetDynamicLoadingApiUsage

level:

WARN

category:

imports

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\symbols.py

Assembly uses typical method for dynamic code loading

DownloaderApiUsage

level:

ODD

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\symbols.py

Downloader-related apis are used

ImportByHash

level:

ERROR

category:

imports

filetype:

architecture:

defined in:

data\anomalies\symbols.py

APIs are imported by hash

PossibleDownloaderApiDynamicImport

level:

ERROR

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\symbols.py

A downloader-related api (recv, InternetConnect, etc.) is present as string in the binary, but is not imported

PossiblePackerApiDynamicImport

level:

ERROR

category:

imports

filetype:

PE

architecture:

defined in:

data\anomalies\symbols.py

A packer-related api (VirtualProtect, ResumeThread, etc.) is present as string in the binary, but is not imported

VBExternalApi

level:

WARN

category:

imports

filetype:

PE

architecture:

X86: 1>]

defined in:

data\anomalies\vb.py

VB project uses external Win32 APIs (most likely via DllFunctionCall)

UnreferencedImports

level:

WARN

category:

imports

filetype:

architecture:

defined in:

data\anomalies\xref.py

More than half of the imports are not referenced, it could mean that the APIs are just decoys, or that the file is packed

Strings

NoUserString

level:

ERROR

category:

strings

filetype:

PE

architecture:

DOTNET

defined in:

data\anomalies\dotnet.py

No user string could be found

BigStringHiScore

level:

WARN

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 256 characters and high interest score

DynamicDllString

level:

ERROR

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string is constructed dynamically and is a windows DLL name, most likely used by some malicious shellcode

DynamicString

level:

WARN

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string is constructed dynamically

FewStrings

level:

ODD

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

file does not have many identified strings (less than 1% of the file is composed of strings)

HugeStringBase64

level:

ERROR

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 256 characters and base64 encoding

HugeStringBinary

level:

ERROR

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 1024 characters and binary encoding

HugeStringHexa

level:

ERROR

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 1024 characters and hexa encoding

ManyBase64Strings

level:

WARN

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

contains many b64 strings

StringBase64

level:

WARN

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 16 characters is encoded using base64

VeryHugeString

level:

ODD

category:

strings

filetype:

architecture:

defined in:

data\anomalies\strings.py

string has more than 65k characters

Sections

StrippedSections

level:

WARN

category:

sections

filetype:

ELF

architecture:

defined in:

data\anomalies\ELF.py

sections have been stripped

CodeSectionNotExecutable

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

code section is not executable

DllNoRelocation

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

dll has no relocation information

DuplicatedSectionName

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

section name has already been used before in section table

ExecutableSectionNoCode

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

executable section has the flag code not set

InvalidBaseOfCode

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

at least one code section starts before BaseOfCode, or BaseOfCode is not the start of a code section

InvalidBaseOfData

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

at least one data section starts before BaseOfData, or BaseOfData is not the start of a data section

InvalidSizeOfCode

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

SizeofCode is not the sum of all code sections (raw or virtual)

InvalidSizeOfInitializedData

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

SizeOfInitializedData is not the sum of all ininitalized data sections (raw or virtual)

InvalidSizeOfUninitializedData

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

SizeOfUninitializedData is not the sum of all uninitalized data sections (raw or virtual)

LotsOfSections

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

more than 96 sections (Windows XP’s maximum) in PE

PointerToRawDataNotAligned

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

PointerToRawData is not aligned to FileAlignment

PurelyPhysicalSection

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

a section is physical-only and will thus not be mapped in memory

PurelyVirtualExecutableSection

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

a section is virtual-only and executable (packer?)

RelocSectionNoRelocation

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

.reloc section does not contains relocations

RelocationsNotInRelocSection

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

relocations are not in .reloc

SectionEmptyName

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

section name is null

SectionGap

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

there is a physical gap between two sections

SectionMostlyVirtual

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

section is composed of mostly virtual space

SectionNameUnknown

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

section name is not one of the typical PE section name

SectionReservedCharacteritics

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

reserved flags are set in the section characteristic

SectionWX

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

section is executable and writeable

SectionWeirdRights

level:

WARN

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

sections has a standard name but the sections rights are not the usual ones (like .text not having +X”)

SizeOfRawDataNotAligned

level:

ERROR

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

SizeOfRawData is not aligned to FileAlignment

UnbalancedVirtualPhysicalRatio

level:

TRACE

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

huge difference between the physical and virtual size of a section

WeirdFileAlignment

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

FileAlignment is not 512 nor 4096

WeirdSectionAlignment

level:

ODD

category:

sections

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

SectionAlignment is not 4096 nor 8192

Debug

GoNoPclnTable

level:

ERROR

category:

debug

filetype:

PE

architecture:

defined in:

data\anomalies\golang.py

File is a golang executable but no golang pcln table could be found (maybe stripped / modified)

Metadata

CreatedInsideVirtualMachine

level:

WARN

category:

metadata

filetype:

LNK

architecture:

defined in:

data\anomalies\LNK.py

According to tracker data, the .lnk file was generated inside a VM

Entropy

BssNonEmpty

level:

WARN

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\misc.py

Bss Region/section is not empty

HighEntropy

level:

ODD

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\misc.py

File has high entropy overall (> 200)

PumpedOverlay

level:

ERROR

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\misc.py

Overlay is huge and of low entropy

RegionHighEntropy

level:

TRACE

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\misc.py

Region/section has high entropy overall (> 200)

UnknownOverlayMediumToHighEntropy

level:

WARN

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\misc.py

File contains an overlay which is not of known type and has medium-to-high entropy

BmpHighEntropy

level:

ERROR

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\subobjects.py

More than 10% of the file is composed of a high-entropy picture

SingleBigPictureHighEntropy

level:

ODD

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\subobjects.py

More than 10% of the file is composed of a high-entropy picture

BigBufferNoXrefMediumToHighEntropy

level:

WARN

category:

entropy

filetype:

architecture:

defined in:

data\anomalies\xref.py

a medium-to-high-entropy 10KB+ buffer, which is not part of a known structure and has no cross-reference inside: most likely a big crypto data block. File must have at least one function for this anomaly to run

BloatedExecutableFile

level:

WARN

category:

entropy

filetype:

ZIP

architecture:

defined in:

data\anomalies\ZIP.py

ZIP file contains an executable which has a huge compression ratio > 20x (most likely to abuse sandbox upload size limit)

Packers

MultiplePackers

level:

ERROR

category:

packers

filetype:

architecture:

defined in:

data\anomalies\misc.py

File is packed using multiple packers, very suspicious

Packed

level:

ODD

category:

packers

filetype:

architecture:

defined in:

data\anomalies\misc.py

File is packed using a legit or less-legit obfuscator

Exports

DllNoExportTable

level:

ERROR

category:

exports

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

no valid ExportDirectory found and PE is a DLL

EmptyExportTable

level:

ERROR

category:

exports

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Export Table is empty (no valid export but ExportDirectory found)

Integrity

InvalidChecksum

level:

ERROR

category:

integrity

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

PE Header checksum is wrong

NoChecksum

level:

TRACE

category:

integrity

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

PE Header checksum is not set

NoValidCertificate

level:

ERROR

category:

integrity

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Certificate data directory does not point to a valid certificate (maybe corrupted ?)

TruncatedFile

level:

ERROR

category:

integrity

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

some or all section bytes are not present on disk (Windows may not load it)

UnsignedMicrosoft

level:

ERROR

category:

integrity

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Version information tells us it is a microsoft file but no certificate has been found

Rich

RichExportNoExportTable

level:

WARN

category:

rich

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

export entry in rich header but no export table present

RichMultipleLinkers

level:

WARN

category:

rich

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

multiple linker entries in rich header

RichUnknownTool

level:

ODD

category:

rich

filetype:

PE

architecture:

defined in:

data\anomalies\PE.py

Tool entry is not known (either a new version or has been patched)