Classification
ReversingLabs uses a classification algorithm to determine the security status of every analyzed file.
The classification of a sample is based on a comprehensive assessment of its assigned risk factor, threat level, and trust factor; however, it can be manually or automatically overridden when necessary.
Based on this evaluation, files are placed into one of the following buckets:
- No threats found (unclassified)
- Goodware/known
- Suspicious
- Malicious
The classification process weighs signals from all available sources to arrive at the most accurate verdict. Some signals are considered more authoritative than others and take priority. For example, Spectra Core YARA rules always take precedence because they are written and curated by ReversingLabs analysts. These rules provide the highest degree of accuracy, as they target specific, named threats. This does not mean that other classification methods are less important. Similarity matching, heuristics, and machine learning still contribute valuable signals and may produce additional matches. In cases where multiple detections apply, YARA rules simply serve as the deciding factor for the final classification.
Risk score​
A risk score is a value representing the trustworthiness or malicious severity of a sample. Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats. At a glance:
| Classification | Trust factor | Threat level | Risk score | Severity | Comment |
|---|---|---|---|---|---|
| 0 (no threats found) | N/A | N/A | N/A | ⬜ N/A | No threats found. Please submit the sample to Spectra Intelligence for classification. |
| 0 | N/A | 0 | 🟩 Clean | File comes from a very trustworthy domain or has a very trustworthy certificate. Examples: HP, IBM, Microsoft, Oracle, Intel, Dell, Sony, Google... | |
| 1 | N/A | 1 | 🟩 Clean | File comes from a trustworthy domain or has a trustworthy certificate. Examples: php.net, mit.edu, postgresql.org, redhat.de, opera.com, nasa.gov... | |
| 2 | N/A | 2 | 🟩 Clean | File comes from a usually trusted domain. Examples: softpedia.com, sourceforge.net, cnet.com... | |
| 3 | N/A | 3 | 🟩 Likely clean | File comes from another known site. | |
| 4 | N/A | 4 | 🟩 Possibly clean | Some valid but not very trusted certificates. | |
| 1 (goodware/known) | 5 | N/A | 5 | 🟩 Low | Low trust source, no whitelisted certificates. |
| N/A | 0 | 5 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 1 | 6 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 2 | 7 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 3 | 8 | 🟨 Low | More information about sample required for final classification. | |
| N/A | 4 | 9 | 🟨 Low | More information about sample required for final classification. | |
| 2 (suspicious) | N/A | 5 | 10 | 🟨 Low | More information about sample required for final classification. |
| N/A | 0 | N/A | 🟧 Low | Low trust source, no whitelisted certificates. | |
| N/A | 1 | 6 | 🟧 Low | Adware, potentially unwanted apps, tools for masking malware (packers). | |
| N/A | 2 | 7 | 🟥 Medium | Spyware. | |
| N/A | 3 | 8 | 🟥 Medium | Tools used to introduce malware or to use infected machines for denial-of-service attacks. | |
| N/A | 4 | 9 | 🟥 High | Malicious browser extensions, fake antivirus software, rootkits. | |
| 3 (malicious) | N/A | 5 | 10 | 🟥 High | Virus, worm, trojan, keylogger, infostealer. Most dangerous threats. |
Files with no threats found don't get assigned a risk score and are therefore unclassified.
Values from 0 to 5 are reserved for samples classified as goodware/known, and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.
Risk scores from 6 to 10 are reserved for suspicious and malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more. Lesser threats like adware get a risk score of 6, while ransomware and trojans always get a risk score of 10.
Malware type and risk score​
In cases where multiple threats are detected and there are no other factors (such as user overrides) involved, the final classification is always the one that presents the biggest threat. If they belong to the same risk score group, malware types are prioritized in this order:
| Risk score | Malware types |
|---|---|
| 10 | EXPLOIT > BACKDOOR > RANSOMWARE > INFOSTEALER > KEYLOGGER > WORM > VIRUS > CERTIFICATE > PHISHING > FORMAT > TROJAN |
| 9 | ROOTKIT > COINMINER > ROGUE > BROWSER |
| 8 | DOWNLOADER > DROPPER > DIALER > NETWORK |
| 7 | SPYWARE > HYPERLINK > SPAM > MALWARE |
| 6 | ADWARE > HACKTOOL > PUA > PACKED |
Threat level and trust factor​
The risk score table describes the relationship between the risk score, and the threat level and trust factor used by the File Reputation API.
The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the File Reputation API uses two different scales for different classifications.
Nomenclature​
The following classifications are equivalent:
| File Reputation API | Spectra Analyze | Spectra Detect Worker |
|---|---|---|
| known | goodware | 1 (in the Worker report) |
In the Worker report, the risk score is called rca_factor.
Deciding sample priority​
The risk score table highlights that the a sample's risk score and its classification don't have a perfect correlation. This means that a sample's risk score cannot be interpreted on its own, and that the primary criterion in deciding a sample's priority is its classification.
Samples classified as suspicious can be a result of heuristics, or a possible early detection. A suspicious file may be declared malicious or known at a later time if new information is received that changes its threat profile, or if the user manually modifies its status.
The system always considers a malicious sample with a risk score of 6 as a higher threat than a suspicious sample with a risk score of 10, meaning that samples classified as malicious always supersede suspicious samples, regardless of the calculated risk score.
The reason for this is certainty - a malicious sample is decidedly malicious, while suspicious samples need more data to confirm the detected threat. It is a constant effort by ReversingLabs to reduce the number of suspicious samples.
While a suspicious sample with a risk score of 10 does deserve user attention and shouldn't be ignored, a malicious sample with a risk score of 10 should be triaged as soon as possible.
Malware naming standard​
The ReversingLabs detection string consists of three main parts separated by dots. All parts of the string will always appear (all three parts are mandatory).
platform-subplatform.type.familyname
-
The first part of the string indicates the platform targeted by the malware.
This string is always one of the strings listed in the Platform string table. If the platform is Archive, Audio, ByteCode, Document, Image or Script, then it has a subplatform string. Platform and subplatform strings are divided by a hyphen (
-). The lists of available strings for Archive, Audio, ByteCode, Document, Image and Script subplatforms can be found in their respective tables. -
The second part of the detection string describes the malware type. Strings that appear as malware type descriptions are listed in the Type string table.
-
The third and last part of the detection string represents the malware family name, i.e. the name given to a particular malware strain.
Names "Agent", "Gen", "Heur", and other similar short generic names are not allowed. Names can't be shorter than three characters, and can't contain only numbers. Special characters (apart from
-) must be avoided as well. The-character is only allowed in exploit (CVE/CAN) names (for example CVE-2012-0158).
Examples​
If a trojan is designed for the Windows 32-bit platform and has the family name "Adams", its detection string will look like this:
Win32.Trojan.Adams
If some backdoor malware is a PHP script with the family name "Jones", the detection string will look like this:
Script-PHP.Backdoor.Jones
Some potentially unwanted application designed for Android that has the family name "Smith" will have the following detection string:
Android.PUA.Smith
Some examples of detections with invalid family names are:
Win32.Dropper.Agent
ByteCode-MSIL.Keylogger.Heur
Script-JS.Hacktool.Gen
Android.Backdoor.12345
Document-PDF.Exploit.KO
Android.Spyware.1a
Android.Spyware.Not-a-CVE
Win32.Trojan.Blue_Banana
Win32.Ransomware.Hydra:Crypt
Win32.Ransomware.HDD#Cryptor
Platform string​
The platform string indicates the operating system that the malware is designed for. The following table contains the available strings and the operating systems for which they are used.
| String | Short description |
|---|---|
| ABAP | SAP / R3 Advanced Business Application Programming environment |
| Android | Applications for Android OS |
| AOL | America Online environment |
| Archive | Archives. See Archive subplatforms for more information. |
| Audio | Audio. See Audio subplatforms for more information. |
| BeOS | Executable content for Be Inc. operating system |
| Boot | Boot, MBR |
| Binary | Binary native type |
| ByteCode | ByteCode, platform-independent. See ByteCode subplatforms for more information. |
| Blackberry | Applications for Blackberry OS |
| Console | Executables or applications for old consoles (e.g. Nintendo, Amiga, ...) |
| Document | Documents. See Document subplatforms for more information. |
| DOS | DOS, Windows 16 bit based OS |
| EPOC | Applications for EPOC mobile OS |
| Emails. See Email subplatforms for more information. | |
| Firmware | BIOS, Embedded devices (mp3 players, ...) |
| FreeBSD | Executable content for 32-bit and 64-bit FreeBSD platforms |
| Image | Images. See Image subplatforms for more information. |
| iOS | Applications for Apple iOS (iPod, iPhone, iPad…) |
| Linux | Executable content for 32 and 64-bit Linux operating systems |
| MacOS | Executable content for Apple Mac OS, OS X |
| Menuet | Executable content for Menuet OS |
| Novell | Executable content for Novell OS |
| OS2 | Executable content for IBM OS/2 |
| Package | Software packages. See Package subplatforms for more information. |
| Palm | Applications for Palm mobile OS |
| Script | Scripts. See Script subplatforms for more information. |
| Shortcut | Shortcuts |
| Solaris | Executable content for Solaris OS |
| SunOS | Executable content for SunOS platform |
| Symbian | Applications for Symbian OS |
| Text | Text native type |
| Unix | Executable content for the UNIX platform |
| Video | Videos |
| WebAssembly | Binary format for executable code in Web pages |
| Win32 | Executable content for 32-bit Windows OS's |
| Win64 | Executable content for 64-bit Windows OS's |
| WinCE | Executable content for Windows Embedded Compact OS |
| WinPhone | Applications for Windows Phone |
Archive subplatforms​
| String | Short description |
|---|---|
| ACE | WinAce archives |
| AR | AR archives |
| ARJ | ARJ (Archived by Robert Jung) archives |
| BZIP2 | Bzip2 archives |
| CAB | Microsoft Cabinet archives |
| GZIP | GNU Zip archives |
| ISO | ISO image files |
| JAR | JAR (Java ARchive) archives |
| LZH | LZH archives |
| RAR | RAR (Roshal Archive) archives |
| 7ZIP | 7-Zip archives |
| SZDD | Microsoft SZDD archives |
| TAR | Tar (tarball) archives |
| XAR | XAR (eXtensible ARchive) archives |
| ZIP | ZIP archives |
| ZOO | ZOO archives |
| Other Archive identification | All other valid Spectra Core identifications of Archive type |
Audio subplatforms​
| String | Short description |
|---|---|
| WAV | Wave Audio File Format |
| Other Audio identification | All other valid Spectra Core identifications of Audio type |
ByteCode subplatforms​
| String | Short description |
|---|---|
| JAVA | Java bytecode |
| MSIL | MSIL bytecode |
| SWF | Adobe Flash |
Document subplatforms​
| String | Short description |
|---|---|
| Access | Microsoft Office Access |
| CHM | Compiled HTML |
| Cookie | Cookie files |
| Excel | Microsoft Office Excel |
| HTML | HTML documents |
| Multimedia | Multimedia containers that aren't covered by other platforms (e.g. ASF) |
| Office | File that affects multiple Office components |
| OLE | Microsoft Object Linking and Embedding |
| PDF documents | |
| PowerPoint | Microsoft Office PowerPoint |
| Project | Microsoft Office Project |
| Publisher | Microsoft Office Publisher |
| RTF | RTF documents |
| Visio | Microsoft Office Visio |
| XML | XML and XML metafiles (ASX) |
| Word | Microsoft Office Word |
| Other Document identification | All other valid Spectra Core identifications of Document type |
Email subplatforms​
| String | Short description |
|---|---|
| MIME | Multipurpose Internet Mail Extensions |
| MSG | Outlook MSG file format |
Image subplatforms​
| String | Short description |
|---|---|
| ANI | File format used for animated mouse cursors on Microsoft Windows |
| BMP | Bitmap images |
| EMF | Enhanced Metafile images |
| EPS | Adobe Encapsulated PostScript images |
| GIF | Graphics Interchange Format |
| JPEG | JPEG images |
| OTF | OpenType Font |
| PNG | Portable Network Graphics |
| TIFF | Tagged Image File Format |
| TTF | Apple TrueType Font |
| WMF | Windows Metafile images |
| Other Image identification | All other valid Spectra Core identifications of Image type |
Package subplatforms​
| String | Short description |
|---|---|
| NuGet | NuGet packages |
| DEB | Debian Linux DEB packages |
| RPM | Linux RPM packages |
| WindowStorePackage | Packages for distributing and installing Windows apps |
| Other Package identification | All other valid Spectra Core identifications of Package type |
Script subplatforms​
| String | Short description |
|---|---|
| ActiveX | ActiveX scripts |
| AppleScript | AppleScript scripts |
| ASP | ASP scripts |
| AutoIt | AutoIt scripts (Windows) |
| AutoLISP | AutoCAD LISP scripts |
| BAT | Batch scripts |
| CGI | CGI scripts |
| CorelDraw | CorelDraw scripts |
| Ferite | Ferite scripts |
| INF | INF Script, Windows installer scripts |
| INI | INI configuration file |
| IRC | IRC, mIRC, pIRC/Pirch Script |
| JS | Javascript, JScript |
| KiXtart | KiXtart scripts |
| Logo | Logo scripts |
| Lua | Lua scripts |
| Macro | Macro (e.g. VBA, AmiPro macros, Lotus123 macros) |
| Makefile | Makefile configuration |
| Matlab | Matlab scripts |
| Perl | Perl scripts |
| PHP | PHP scripts |
| PowerShell | PowerShell scripts, Monad (MSH) |
| Python | Python scripts |
| Registry | Windows Registry scripts |
| Ruby | Ruby scripts |
| Shell | Shell scripts |
| Shockwave | Shockwave scripts |
| SQL | SQL scripts |
| SubtitleWorkshop | SubtitleWorkshop scripts |
| WinHelp | WinHelp Script |
| WScript | Windows Scripting Host related scripts (can be VBScript, JScript, …) |
| Other Script identification | All other valid Spectra Core identifications of Script type |
Type string​
This string is used to describe the general type of malware. The following table contains the available strings and describes what each malware type is capable of.
| String | Description |
|---|---|
| Adware | Presents unwanted advertisements |
| Backdoor | Bypasses device security and allows remote access |
| Browser | Browser helper objects, toolbars, and malicious extensions |
| Certificate | Classification derived from certificate data |
| Coinminer | Uses system resources for cryptocurrency mining without the user's permission |
| Dialer | Applications used for war-dialing and calling premium numbers |
| Downloader | Downloads other malware or components |
| Dropper | Drops malicious artifacts including other malware |
| Exploit | Exploits for various vulnerabilities, CVE/CAN entries |
| Format | Malformations of the file format. Classification derived from graylisting, validators on unpackers |
| Hacktool | Software used in hacking attacks, that might also have a legitimate use |
| Hyperlink | Classifications derived from extracted URLs |
| Infostealer | Steals personal info, passwords, etc. |
| Keylogger | Records keystrokes |
| Malware | New and recently discovered malware not yet named by the research community |
| Network | Networking utilities, such as tools for DoS, DDoS, etc. |
| Packed | Packed applications (UPX, PECompact…) |
| Phishing | Email messages (or documents) created with the aim of misleading the victim by disguising itself as a trustworthy entity into opening malicious links, disclosing personal information or opening malicious files. |
| PUA | Potentially unwanted applications (hoax, joke, misleading...) |
| Ransomware | Malware which encrypts files and demands money for decryption |
| Rogue | Fraudulent AV installs and scareware |
| Rootkit | Provides undetectable administrator access to a computer or a mobile device |
| Spam | Other junk mail that does not unambiguously fall into the Phishing category, but contains unwanted or illegal content. |
| Spyware | Collects personal information and spies on users |
| Trojan | Allows remote access, hides in legit applications |
| Virus | Self-replicating file/disk/USB infectors |
| Worm | Self-propagating malware with exploit payloads |