Skip to main content

Classification

ReversingLabs uses a classification algorithm that places analyzed files into the following buckets:

  • No threats found (unclassified)
  • Goodware/known
  • Suspicious
  • Malicious

The classification of a sample is based on a comprehensive assessment of its assigned risk factor, threat level, and trust factor; however, it can be manually or automatically overridden when necessary.

Risk score​

A risk score is a value representing the trustworthiness or malicious severity of a sample. Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats. At a glance:

ClassificationTrust factorThreat levelRisk scoreSeverityComment
0 (no threats found)N/AN/AN/A⬜ N/ANo threats found. Please submit the sample to Spectra Intelligence for classification.
0N/A0🟩 CleanFile comes from a very trustworthy domain or has a very trustworthy certificate. Examples: HP, IBM, Microsoft, Oracle, Intel, Dell, Sony, Google...
1N/A1🟩 CleanFile comes from a trustworthy domain or has a trustworthy certificate. Examples: php.net, mit.edu, postgresql.org, redhat.de, opera.com, nasa.gov...
2N/A2🟩 CleanFile comes from a usually trusted domain. Examples: softpedia.com, sourceforge.net, cnet.com...
3N/A3🟩 Likely cleanFile comes from another known site.
4N/A4🟩 Possibly cleanSome valid but not very trusted certificates.
1 (goodware/known)5N/A5🟩 LowLow trust source, no whitelisted certificates.
N/A05🟨 LowMore information about sample required for final classification.
N/A16🟨 LowMore information about sample required for final classification.
N/A27🟨 LowMore information about sample required for final classification.
N/A38🟨 LowMore information about sample required for final classification.
N/A49🟨 LowMore information about sample required for final classification.
2 (suspicious)N/A510🟨 LowMore information about sample required for final classification.
N/A0N/A🟧 LowLow trust source, no whitelisted certificates.
N/A16🟧 LowAdware, potentially unwanted apps, tools for masking malware (packers).
N/A27🟥 MediumSpyware.
N/A38🟥 MediumTools used to introduce malware or to use infected machines for denial-of-service attacks.
N/A49🟥 HighMalicious browser extensions, fake antivirus software, rootkits.
3 (malicious)N/A510🟥 HighVirus, worm, trojan, keylogger, infostealer. Most dangerous threats.

Files with no threats found don't get assigned a risk score and are therefore unclassified.

Values from 0 to 5 are reserved for samples classified as goodware/known, and take into account the source and structural metadata of the file, among other things. Since goodware samples do not have threat names associated with them, they receive a description based on their risk score.

Risk scores from 6 to 10 are reserved for suspicious and malicious samples, and express their severity. They are calculated by a ReversingLabs proprietary algorithm, and based on many factors such as file origin, threat type, how frequently it occurs in the wild, YARA rules, and more. Lesser threats like adware get a risk score of 6, while ransomware and trojans always get a risk score of 10.

Malware type and risk score​

In cases where multiple threats are detected and there are no other factors (such as user overrides) involved, the final classification is always the one that presents the biggest threat. If they belong to the same risk score group, malware types are prioritized in this order:

Risk scoreMalware types
10EXPLOIT > BACKDOOR > RANSOMWARE > INFOSTEALER > KEYLOGGER > WORM > VIRUS > CERTIFICATE > PHISHING > FORMAT > TROJAN
9ROOTKIT > COINMINER > ROGUE > BROWSER
8DOWNLOADER > DROPPER > DIALER > NETWORK
7SPYWARE > HYPERLINK > SPAM > MALWARE
6ADWARE > HACKTOOL > PUA > PACKED

Threat level and trust factor​

The risk score table describes the relationship between the risk score, and the threat level and trust factor used by the File Reputation API.

The main difference is that the risk score maps all classifications onto one numerical scale (0-10), while the File Reputation API uses two different scales for different classifications.

Nomenclature​

The following classifications are equivalent:

File Reputation APISpectra AnalyzeSpectra Detect Worker
knowngoodware1 (in the Worker report)

In the Worker report, the risk score is called rca_factor.

Deciding sample priority​

The risk score table highlights that the a sample's risk score and its classification don't have a perfect correlation. This means that a sample's risk score cannot be interpreted on its own, and that the primary criterion in deciding a sample's priority is its classification.

Samples classified as suspicious can be a result of heuristics, or a possible early detection. A suspicious file may be declared malicious or known at a later time if new information is received that changes its threat profile, or if the user manually modifies its status.

The system always considers a malicious sample with a risk score of 6 as a higher threat than a suspicious sample with a risk score of 10, meaning that samples classified as malicious always supersede suspicious samples, regardless of the calculated risk score.

The reason for this is certainty - a malicious sample is decidedly malicious, while suspicious samples need more data to confirm the detected threat. It is a constant effort by ReversingLabs to reduce the number of suspicious samples.

While a suspicious sample with a risk score of 10 does deserve user attention and shouldn't be ignored, a malicious sample with a risk score of 10 should be triaged as soon as possible.

Malware naming standard​

The ReversingLabs detection string consists of three main parts separated by dots. All parts of the string will always appear (all three parts are mandatory).

platform-subplatform.type.familyname
  1. The first part of the string indicates the platform targeted by the malware.

    This string is always one of the strings listed in the Platform string table. If the platform is Archive, Audio, ByteCode, Document, Image or Script, then it has a subplatform string. Platform and subplatform strings are divided by a hyphen (-). The lists of available strings for Archive, Audio, ByteCode, Document, Image and Script subplatforms can be found in their respective tables.

  2. The second part of the detection string describes the malware type. Strings that appear as malware type descriptions are listed in the Type string table.

  3. The third and last part of the detection string represents the malware family name, i.e. the name given to a particular malware strain.

    Names "Agent", "Gen", "Heur", and other similar short generic names are not allowed. Names can't be shorter than three characters, and can't contain only numbers. Special characters (apart from -) must be avoided as well. The - character is only allowed in exploit (CVE/CAN) names (for example CVE-2012-0158).

Examples​

If a trojan is designed for the Windows 32-bit platform and has the family name "Adams", its detection string will look like this:

Win32.Trojan.Adams

If some backdoor malware is a PHP script with the family name "Jones", the detection string will look like this:

Script-PHP.Backdoor.Jones

Some potentially unwanted application designed for Android that has the family name "Smith" will have the following detection string:

Android.PUA.Smith

Some examples of detections with invalid family names are:

Win32.Dropper.Agent
ByteCode-MSIL.Keylogger.Heur
Script-JS.Hacktool.Gen
Android.Backdoor.12345
Document-PDF.Exploit.KO
Android.Spyware.1a
Android.Spyware.Not-a-CVE
Win32.Trojan.Blue_Banana
Win32.Ransomware.Hydra:Crypt
Win32.Ransomware.HDD#Cryptor

Platform string​

The platform string indicates the operating system that the malware is designed for. The following table contains the available strings and the operating systems for which they are used.

StringShort description
ABAPSAP / R3 Advanced Business Application Programming environment
AndroidApplications for Android OS
AOLAmerica Online environment
ArchiveArchives. See Archive subplatforms for more information.
AudioAudio. See Audio subplatforms for more information.
BeOSExecutable content for Be Inc. operating system
BootBoot, MBR
BinaryBinary native type
ByteCodeByteCode, platform-independent. See ByteCode subplatforms for more information.
BlackberryApplications for Blackberry OS
ConsoleExecutables or applications for old consoles (e.g. Nintendo, Amiga, ...)
DocumentDocuments. See Document subplatforms for more information.
DOSDOS, Windows 16 bit based OS
EPOCApplications for EPOC mobile OS
EmailEmails. See Email subplatforms for more information.
FirmwareBIOS, Embedded devices (mp3 players, ...)
FreeBSDExecutable content for 32-bit and 64-bit FreeBSD platforms
ImageImages. See Image subplatforms for more information.
iOSApplications for Apple iOS (iPod, iPhone, iPad…)
LinuxExecutable content for 32 and 64-bit Linux operating systems
MacOSExecutable content for Apple Mac OS, OS X
MenuetExecutable content for Menuet OS
NovellExecutable content for Novell OS
OS2Executable content for IBM OS/2
PackageSoftware packages. See Package subplatforms for more information.
PalmApplications for Palm mobile OS
ScriptScripts. See Script subplatforms for more information.
ShortcutShortcuts
SolarisExecutable content for Solaris OS
SunOSExecutable content for SunOS platform
SymbianApplications for Symbian OS
TextText native type
UnixExecutable content for the UNIX platform
VideoVideos
WebAssemblyBinary format for executable code in Web pages
Win32Executable content for 32-bit Windows OS's
Win64Executable content for 64-bit Windows OS's
WinCEExecutable content for Windows Embedded Compact OS
WinPhoneApplications for Windows Phone
Archive subplatforms​
StringShort description
ACEWinAce archives
ARAR archives
ARJARJ (Archived by Robert Jung) archives
BZIP2Bzip2 archives
CABMicrosoft Cabinet archives
GZIPGNU Zip archives
ISOISO image files
JARJAR (Java ARchive) archives
LZHLZH archives
RARRAR (Roshal Archive) archives
7ZIP7-Zip archives
SZDDMicrosoft SZDD archives
TARTar (tarball) archives
XARXAR (eXtensible ARchive) archives
ZIPZIP archives
ZOOZOO archives
Other Archive identificationAll other valid Spectra Core identifications of Archive type
Audio subplatforms​
StringShort description
WAVWave Audio File Format
Other Audio identificationAll other valid Spectra Core identifications of Audio type
ByteCode subplatforms​
StringShort description
JAVAJava bytecode
MSILMSIL bytecode
SWFAdobe Flash
Document subplatforms​
StringShort description
AccessMicrosoft Office Access
CHMCompiled HTML
CookieCookie files
ExcelMicrosoft Office Excel
HTMLHTML documents
MultimediaMultimedia containers that aren't covered by other platforms (e.g. ASF)
OfficeFile that affects multiple Office components
OLEMicrosoft Object Linking and Embedding
PDFPDF documents
PowerPointMicrosoft Office PowerPoint
ProjectMicrosoft Office Project
PublisherMicrosoft Office Publisher
RTFRTF documents
VisioMicrosoft Office Visio
XMLXML and XML metafiles (ASX)
WordMicrosoft Office Word
Other Document identificationAll other valid Spectra Core identifications of Document type
Email subplatforms​
StringShort description
MIMEMultipurpose Internet Mail Extensions
MSGOutlook MSG file format
Image subplatforms​
StringShort description
ANIFile format used for animated mouse cursors on Microsoft Windows
BMPBitmap images
EMFEnhanced Metafile images
EPSAdobe Encapsulated PostScript images
GIFGraphics Interchange Format
JPEGJPEG images
OTFOpenType Font
PNGPortable Network Graphics
TIFFTagged Image File Format
TTFApple TrueType Font
WMFWindows Metafile images
Other Image identificationAll other valid Spectra Core identifications of Image type
Package subplatforms​
StringShort description
NuGetNuGet packages
DEBDebian Linux DEB packages
RPMLinux RPM packages
WindowStorePackagePackages for distributing and installing Windows apps
Other Package identificationAll other valid Spectra Core identifications of Package type
Script subplatforms​
StringShort description
ActiveXActiveX scripts
AppleScriptAppleScript scripts
ASPASP scripts
AutoItAutoIt scripts (Windows)
AutoLISPAutoCAD LISP scripts
BATBatch scripts
CGICGI scripts
CorelDrawCorelDraw scripts
FeriteFerite scripts
INFINF Script, Windows installer scripts
INIINI configuration file
IRCIRC, mIRC, pIRC/Pirch Script
JSJavascript, JScript
KiXtartKiXtart scripts
LogoLogo scripts
LuaLua scripts
MacroMacro (e.g. VBA, AmiPro macros, Lotus123 macros)
MakefileMakefile configuration
MatlabMatlab scripts
PerlPerl scripts
PHPPHP scripts
PowerShellPowerShell scripts, Monad (MSH)
PythonPython scripts
RegistryWindows Registry scripts
RubyRuby scripts
ShellShell scripts
ShockwaveShockwave scripts
SQLSQL scripts
SubtitleWorkshopSubtitleWorkshop scripts
WinHelpWinHelp Script
WScriptWindows Scripting Host related scripts (can be VBScript, JScript, …)
Other Script identificationAll other valid Spectra Core identifications of Script type

Type string​

This string is used to describe the general type of malware. The following table contains the available strings and describes what each malware type is capable of.

StringDescription
AdwarePresents unwanted advertisements
BackdoorBypasses device security and allows remote access
BrowserBrowser helper objects, toolbars, and malicious extensions
CertificateClassification derived from certificate data
CoinminerUses system resources for cryptocurrency mining without the user's permission
DialerApplications used for war-dialing and calling premium numbers
DownloaderDownloads other malware or components
DropperDrops malicious artifacts including other malware
ExploitExploits for various vulnerabilities, CVE/CAN entries
FormatMalformations of the file format. Classification derived from graylisting, validators on unpackers
HacktoolSoftware used in hacking attacks, that might also have a legitimate use
HyperlinkClassifications derived from extracted URLs
InfostealerSteals personal info, passwords, etc.
KeyloggerRecords keystrokes
MalwareNew and recently discovered malware not yet named by the research community
NetworkNetworking utilities, such as tools for DoS, DDoS, etc.
PackedPacked applications (UPX, PECompact…)
PhishingEmail messages (or documents) created with the aim of misleading the victim by disguising itself as a trustworthy entity into opening malicious links, disclosing personal information or opening malicious files.
PUAPotentially unwanted applications (hoax, joke, misleading...)
RansomwareMalware which encrypts files and demands money for decryption
RogueFraudulent AV installs and scareware
RootkitProvides undetectable administrator access to a computer or a mobile device
SpamOther junk mail that does not unambiguously fall into the Phishing category, but contains unwanted or illegal content.
SpywareCollects personal information and spies on users
TrojanAllows remote access, hides in legit applications
VirusSelf-replicating file/disk/USB infectors
WormSelf-propagating malware with exploit payloads