Strings list

The strings view is accessed using the F6 shortcut and lists all strings extracted by Malcat’s String analysis. You can sort, filter, copy strings, or add them to the Current Yara rule. For more informations on how Malcat extract strings from a program, please refer to String analysis.

The grid

Depending on the identified file type, different string extraction algorithms can be used. Algorithms can range from the simple regular-expression based linear sweep to more advanced file-format aware parsers, or even disassembly-based parsers (cf. below). Multiple algorithms can also be used at the same time. Extracted strings are then analyzed and sorted inside the grid you can see below:


The string view in a nutshell


The string grids features the following columns:


the content of the string. If the string is bigger than 128 characters, only the start and the end of the string will be displayed


the start of the string object (see note above). Double-clicking the row takes you there


describes what kind of string it is (cf. String analysis):

  • USER: a string literal used by user code (eg. a .NET UserString, for other CPUs these could be just scan strings with at least one reference)

  • META: a string used by the file format. These could be symbols, or class names

  • DYN: a dynamic string, constructed on the stack or in memory

  • SCAN: a string found via linear scan. Could also not be a string at all


how the characters are encoded. Could be Ascii, UTF8, or UTF16-le


tags which describe the content of the strings characters. Currently supported tags are:

  • BASE64: string is likely a base64 string (heuristic)

  • HEXA: string is likely an hexadecimal string (heuristic, at with 16 characters)

  • URL: string looks like an url

  • IP: string looks like an IPv4 address

  • PATH: string looks like a file path

  • REGISTRY: string looks like a Windows registry

Additional tags can be defined using regular expressions in the file located at data/strings/ or <user data dir>/strings/ (cf. Customisation).


number of characters in the string


string interest score, see below


number of incoming references (code and data refs).

Most columns can be used to sort the grid. Keep in mind sorting can be potentially slow if a large amount of strings have been found. By default, strings are sorted by their score, descending.


You will notice that some of the rows in the strings grid are colored. Currently two type of colors are used:

  • The Anomaly scanner theme color for string which are part of an identified anomaly

  • The Yara signatures theme color for string which are part of a matching Yara rule

This helps identifying rapidly important strings.

String preview / goto

Clicking on a string will display the string’s details in the quickview panel. There, you will also have access to the complete list of incoming references to the string.

If you double-click the string, you will jump to the start of the string in the Hexadecimal view or the Structure/text view (the most recently used view is chosen).


Malcat makes the difference between how string objects are stored and the string they contain. The first character of the string is not always located at the beginning of the string object. NET user strings are prefixed by their size for instance. Keeping track of the whole string object is a necessity for working cross references. Thus don’t be surprised when you double-click on a string and Malcat does not jump to its first character.




Select single string / display quick preview


Go to start of string

How score is computed

The string score is a value between 0 and 255 (255 being the highest) which is given to every extracted string, using an internal algorithm. The goal is to give a higher value to the strings which are more interesting to human analysts, like crypto content, IOCs or code literals. Since this is merely an heuristic, don’t expect it to do miracles: interesting strings are more likely to be listed at the top, but it’s not guaranteed.

The exact algorithm won’t be described there, since it is a draft likely to change in the future. Its inputs are fixed though, and are the following:

  • Entropy of the string: the bigger the better

  • Number of printable characters: the bigger the better

  • Number of characters: the bigger the better

  • Type of the string: DYN > USER > META > SCAN

  • Encoding of the string: ascii strings gets negative points

  • Has the string a specific tag ? Gives extra points for HEXA and BASE64 strings

  • Number of incoming references: 1 is the best, 2 or more references the second best, 0 the worst

  • Is a string a known constant (see Known patterns identification), this would lower the score

  • Is a string part of a yara pattern (see Yara signatures), this would increase the score

The algorithm is currently still in beta, any constructive feedback is welcome on this matter.


The string view can potentially display a very large amount of strings. To make things easier, it is possible to filter the displayed strings:

  • By string type, using the checkboxes on top of the string view

  • By string content, using the search box.




Set focus to the view’s search box

Other operations

Copy single/multi

From within the string view you can select one or multiple strings at once, using the usual mouse shortcuts. If you hit Ctrl+C afterwards, you will copy all selected strings to the clipboard. Multiple strings are separated using line returns.




Select single string / set start of strings selection


Set end of strings selection


Add/remove single string to/from strings selection


Copy selected strings

Add to Yara

If you select a string, you can add it to the Current Yara rule using the context menu: RightClick ‣ Add string to Yara. You can add it as an hexadecimal pattern or a string. If you chose the later, ascii or wide parameter will be appended automatically to the line in the Yara rule depending on the encoding of the string.


Strings which look like urls (i.e thy have the URL tag) are treated in a special way. In the string context menu, you will see a new action appearing: RightClick ‣ Download and Analyze. If you chose this context action, Malcat will download the given url using a fake user agent and open it as a sub-file inside Malcat.