16bitSubsystem

The file utilizes the 16-bit subsystem. Malware uses this to exist in a less secure and monitored part of the operating system, and frequently to perform privilege escalation attacks.

Anachronism

This PE appears to be lying about when it was written, which is atypical for professionally written software.

AppendedData

This PE has some extra content appended to it, beyond the normal areas of the file. Appended data can frequently be used to embed malicious code or data, and is frequently overlooked by protection systems.

AutoitDbgPrivilege

The AutoIt script can perform debug activities.

AutoitManyDllCalls

The AutoIt script uses many external DLL calls. The AutoIt runtime already has many common functions, therefore using additional functionality from external libraries may be a sign of maliciousness.

AutoitMutex

The AutoIt script creates synchronization objects. This is often used by malware to prevent multiple infections of the same target.

AutoitProcessCarving

The AutoIt script is likely performing process carving to run its own code that appears to come from another process. This is often done to hinder detection.

AutoitProcessInjection

The AutoIt script is likely performing process injection to run code in other processes' context possibly to stay undetected or to steal data.

AutoitRegWrite

The AutoIt script writes into Windows registry.

Base64Alphabet

The file contains evidence of usage of Base64 encoding of an alphabet. Malware does this to attempt to avoid common detection or to attack other programs using Base64 encoding.

CommandlineArgsImport

The file imports functions that can be used to read arguments from a command line. Malware uses this to collect information on subsequent runs.

ComplexMultipleFilters

The file contains multiple streams with multiple filters.

ComplexObfuscated­Encoding

The file contains an anomalously high number of obfuscated names.

ComplexUnsupportedVer­sionEmbeddedFiles

The file uses the EmbeddedFiles features from newer versions of the PDF standard than the file declares.

ComplexUnsupportedVer­sionFlate

The file uses the FlateDecode feature from newer versions of the PDF standard than the file declares.

ComplexUnsupportedVer­sionJbig2

The file uses the JBIG2Decode feature from newer versions of the PDF standard than the file declares.

ComplexUnsupportedVer­sionJs

The file uses JavaScript features from newer versions of the PDF standard than the file declares.

ComplexUnsupportedVer­sionXFA

The file uses XFA features from newer versions of the PDF standard than the file declares.

ComplexUnsupportedVer­sionXobject

The file uses XOBject features from newer versions of the PDF standard than the file declares.

ContainsFlash

The file contains flash objects.

ContainsPE

The file contains embedded executable files.

ContainsU3D

The file contains U3D objects.

InvalidCodePageUsed

The file uses an invalid or unrecognized locale, possibly to avoid detection.

InvalidData

The file metadata is obviously bogus or corrupt.

InvalidStructure

The file structure is not valid. The sizes, metadata, or internal sector allocation table is wrong, which may indicate an exploit.

ManifestMismatch

The file demonstrates an inconsistency in its manifest. Malware does this to avoid detection, but rarely covers its tracks deeply.

NontrivialDLLEP

This PE is a DLL with a nontrivial entry point. This is common among DLLs, but a malicious DLL may use its entry point to take up residence in a process.

NullValuesInStrings

Some strings within the file contain null characters in the middle.

PDFParserArraysContains­NullCount

The file contains an anomalously high number of null values in arrays.

PDFParserArraysHetero­geneousCount

The file contains an anomalously high number of arrays containing different types of elements.

PDFParserMailtoURICount

The file contains an anomalously high number of email links (mailto:).

PDFParserMinPageCount

The file has an unusual structure of page objects, such as a high number of child-page objects per node.

PDFParserNamesPound­NameMaxLength

The file may attempt to obfuscate its contents by using long encoded strings.

PDFParserNamesPound­NameMinLength

The file contains an anomalously high minimum length of an escaped name.

PDFParserNamesPound­NameTotalLength

The file may attempt to obfuscate its contents by storing much of its content in encoded strings.

PDFParserNamesPound­NameUpperCount

The file contains an anomalously high number of names escaped with uppercase hexadecimal characters.

PDFParserNamesPound­NameValidCount

The file contains an anomalously high number of valid escaped names.

PDFParserNamesPound­PerNameMaxCount

The file contains an anomalously high maximum number of escaped characters per single name.

PDFParserNamesPound­UnnecessaryCount

The file contains an anomalously high number of unnecessarily escaped names.

PDFParserNumbersLead­ingDigitTallies8

The file contains an anomalously high number of numbers that start with 8 in decimal representation.

PDFParserNumbersPlus­Count

The file contains an anomalously high number of numbers with an explicit plus sign.

PDFParserNumbersReal­MaxRawLength

The file contains an anomalously high maximum length of a real number.

PDFParserPageCounts

The file contains an anomalously high number of child-page objects.

PDFParserPageObject­Count

The file contains an anomalously high number of page objects.

PDFParserSizeEOF

The file contains an anomalously long end-of-file sequence(s).

PDFParserStringsHex­LowerCount

The file contains an anomalously high number of strings escaped with lowercase hexadecimal digits.

PDFParserStringsLiteral­StringMaxLength

The file contains an anomalously high maximum length of a literal string.

PDFParserStringsOctal­ZeroPaddedCount

The file contains an anomalously high number of octal escaped characters in strings that are unnecessarily zero-padded.

PDFParserTrailerSpread

The file contains an anomalously large spread between trailer objects.

PDFParserWhitespace­CommentMaxLength

The file contains an anomalously high maximum length for a comment.

PDFParserWhitespace­CommentMinLength

The file contains unusual short comments that are not used by reader software.

PDFParserWhitespace­CommentTotalLength

The file contains an unusually large amount of commented-out data.

PDFParserWhitespace­EOL0ACount

The file contains an anomalously high number of short end-of-line characters.

PDFParserWhitespace­Whitespace00Count

The file contains an anomalously high number of zero-bytes used as whitespace.

PDFParserWhitespace­Whitespace09Count

The file contains an anomalously high number of 09 bytes used as whitespace.

PDFParserWhitespace­WhitespaceLongestRun

The file contains an anomalously long whitespace area.

PDFParserWhitespace­WhitespaceTotalLength

The file contains an anomalously high number of whitespaces.

PDFParseru3DObjects­NamesAllNames

The file  contains an anomalously high number of U3D objects.

PossibleBAT

The file contains evidence of having a standard Windows batch file included. Malware does this to avoid common scanning techniques and to provide persistence.

PossibleDinkumware

The file shows evidence of including some components from DinkumWare. Dinkumware is frequently used in various malware components.

PropertyImpropriety

The file contains suspicious OOXML properties.

RaiseExceptionImports

The file imports functions used to raise exceptions within a program. Malware does this to implement tactics that make standard dynamic code analysis difficult to follow.

ReservedFieldsViolation

The file violates the specification in terms of the use of reserved fields.

ResourceAnomaly

The file contains an anomaly in the resource section. Malware frequently contains malformed or other odd bits in the resource section of a DLL.

RWXSection

This PE may contain modifiable code, which is at best unorthodox and at worst symptomatic of a virus infection. Frequently, this feature implies that the file has been built using something other than a standard compiler or has been modified after it was originally built.

SectorMalfeasance

The file contains structural oddities with OLE sector allocation.

StringInvalid

One of the references to a string in a string table pointed to a negative offset.

StringTableNotTerminated

A string table was not terminated with a null byte. This could cause a fault at runtime due to a string that does not end.

StringTruncated

One of the references to a string in a string table pointed to a location after the end of a file.

SuspiciousPDataSection

This PE is hiding something in its "pdata" area, but it is not clear what it is. The "pdata" area in a PE file is generally used for process runtime structures, but this particular file contains something else.

SuspiciousRelocSection

This PE is hiding something in its "relocations" area, but it is not clear what it is. The "relocations" area in a PE file is generally used for relocating particular symbols, but this particular file contains something else.

SuspiciousDirectoryNames

The file contains OLE directory names that are suspicious.

SuspiciousDirectoryStruct­ure

The file has oddities in the OLE directory structure.

SuspiciousEmbedding

The file uses suspicious embedding of OLE.

SuspiciousVBA

The file contains suspicious VBA code.

SuspiciousVBALib

The file shows suspicious VBA library usage.

SuspiciousVBANames

The file contains suspicious names associated with VBA structures.

SuspiciousVBAVersion

The file contains suspicious VBA versioning.

SWFOddity

The file contains certain questionable usages of embedded SWF.

TooMalformedToProcess

The file is so malformed that it could not be parsed completely.

VersionAnomaly

The file has issues with how it presents its version information. Malware does this to avoid detection.