Spectra Core Tags Reference — File Classification and Security
Spectra Core assigns tags to files during static analysis based on detected properties including certificate information, software behaviors, file contents, and security characteristics. Tags can be queried through Advanced Search in Spectra Analyze and the TCA-0320 API in Spectra Intelligence.
Generic tags - can be applied to many file formats
| access-control-information | The file contains access control descriptors such as file permissions, group memberships or similar information about a securable object |
| anonymous-email | The file contains e-mail addresses from anonymous e-mail providers |
| cert-appendix | The file contains additional data after the certificate |
| cert-bad-checksum | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-bad-timestamp | The file is digitally signed with a certificate that has a bad timestamp |
| cert-cross-signed | The file is digitally signed with Microsoft cross-certificate for kernel mode code signing |
| cert-dual-signed | The file is digitally signed with two signatures that independently verify file integrity |
| cert-expired | The file's certificate chain has at least one expired certificate |
| cert-impersonate | The file is digitally signed with a certificate that impersonates one of well-known entities (e.g. Microsoft or Google) |
| cert-invalid | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-malformed | The file is digitally signed with a certificate that was malformed |
| cert-pagehashes-bad-checksum | The file was signed with an invalid certificate (it didn't pass the validation process) |
| cert-revoked | The file is digitally signed with a certificate that has been revoked |
| cert-revoked-aa-compromise | The file is digitally signed with a certificate that has been revoked due to AA compromise |
| cert-revoked-affiliation-changed | The file is digitally signed with a certificate that has been revoked due to change in affiliation |
| cert-revoked-ca-compromise | The file is digitally signed with a certificate that has been revoked due to CA compromise |
| cert-revoked-cert-hold | The file is digitally signed with a certificate that has been put on hold (the signer has been suspended) |
| cert-revoked-cessation-of-operation | The file is digitally signed with a certificate that has been revoked because the signer has ceased its operations |
| cert-revoked-key-compromise | The file is digitally signed with a certificate that has been revoked due to private key compromise |
| cert-revoked-privilege-withdrawn | The file is digitally signed with a certificate that has been revoked because the signer privilege has been withdrawn |
| cert-revoked-remove-from-crl | The file is digitally signed with a certificate that has been removed from the revocation list |
| cert-revoked-superseded | The file is digitally signed with a certificate that has been revoked because it has been superseded |
| cert-revoked-unspecified | The file is digitally signed with a certificate that has been revoked due to unspecified reason |
| cert-self-signed | The file is digitally signed with a self-signed certificate (e.g. JAR or APK) |
| cert-signed | The file is digitally signed with a certificate (signature may or may not be valid) |
| cert-signed-after-expiration | The file was digitally counter-signed after at least one certificate in certificate chain expired |
| cert-signed-after-revocation | The file is digitally signed with a certificate that has been revoked at the time of signing |
| cert-signed-after-valid-time | The file is digitally signed with a certificate that was used after its validity period ended |
| cert-signed-before-issuing | The file is digitally signed with a certificate that was used before its validity period started |
| cert-timestamped | The file was digitally counter-signed by a timestamping service hosted by a certificate authority |
| cert-cert-timestamped-revoked | The file was digitally counter-signed by a timestamping service certificate that has been revoked |
| cert-cert-timestamped-untrusted | The file was digitally counter-signed by a timestamping service, but its root CA certificate is not in the Spectra Core certificate store |
| cert-untrusted | The file is digitally signed with a certificate that is valid, but its root CA certificate is not in the Spectra Core certificate store |
| cert-weak-crypto | The file was digitally signed with certificates using insecure cryptography or old hashing algorithms |
| cert-weak-crypto-key | The file was digitally signed with certificates using insecure cryptography (e.g. RSA with less than 2048 bits) |
| cert-weak-crypto-digest | The file was digitally signed with certificates using an old hashing algorithm (e.g. MD5) |
| cloud-ai-use | The file contains URLs related to cloud-based AI services |
| contains-api-key | The file contains an API key used to authenticate a user, developer, or calling program to an API |
| contains-archive | The file contains one or more archive files (such as ZIP, RAR, Jar) |
| contains-document | The file contains one or more document files |
| contains-elf | The file contains one or more ELF (Executable and Linkable Format) files |
| contains-key-secret-pair | The file contains plaintext credentials, generally used for authentication |
| contains-macho | The file contains one or more Mach-O files |
| contains-pe | The file contains one or more PE (Portable Executable) files |
| contains-private-key-encrypted | The file contains an encrypted PKI private key |
| contains-private-key-plaintext | The file contains a PKI private key |
| contains-private-ssh-key-encrypted | The file contains an encrypted SSH key |
| contains-private-ssh-key-plaintext | The file contains an SSH key |
| contains-script | The file contains one or more script files |
| contains-token | The file contains an access or refresh token generally used for authentication |
| contains-webhook | The file contains a private webhook which may contain sensitive information |
| cryptocurrency | The file has cryptocurrency-related indicators (e.g. accesses BitCoin wallet files) |
| dde | The file has Dynamic Data Exchange capabilities that may be used to interact with other applications |
| desktop | The file appears to be a desktop application (e.g. PE or ELF) |
| email-outlook | The file has Outlook-related indicators (e.g. accesses mailbox files, credentials) |
| email-pattern | The file has generic e-mail-related indicators (e.g. accesses mailbox files, credentials) |
| email-thunderbird | The file has Thunderbird-related indicators (e.g. accesses mailbox files, credentials) |
| encrypted | Contains encrypted files (e.g. password-protected archive) |
| entropy-high | The file has unusually high entropy (i.e. entropy > 7) |
| entropy-zero | The file is zero-filled (full of 00 bytes) |
| exif | The file has EXIF metadata (such as camera information or GPS metadata) |
| format-bad-checksum | The file likely contains corrupted content as it has failed the data integrity check |
| format-bad-password | The file is password protected, and no provided passwords were a good match |
| format-unsupported | The file format is currently not supported, and it requires a deeper level of inspection to be fully analyzed |
| geotagging | The file has EXIF metadata containing GPS coordinates |
| guid-activex-killbit | The file contains ActiveX GUIDs with the Kill-Bit flag set |
| im-skype | The file has Skype-related indicators (e.g. accesses chat history, credentials) |
| image-corrupt | The image is corrupt because of some format discrepancy (e.g. invalid segment size) |
| image-malformed | The image is malformed (e.g. frame dimension is zero) |
| image-segment-duplicate | The image has a duplicate segment |
| image-segment-unexpected-location | An image segment has been found in an unexpected location |
| image-segment-unknown | An unknown image segment has been encountered |
| localized-entry-point | The file contains localization-specific entry points |
| linguist | The file's subtype was determined by a ReversingLabs machine learning model |
| machine-learning | The file was classified by a ReversingLabs machine learning model |
| ml-model | The file contains a machine learning model |
| nsis-table-invalid-offset | The NSIS installer is corrupt due to invalid table offset |
| nsis-table-invalid-size | The NSIS installer is corrupt due to invalid table size |
| ntfs-alternate-data-stream | The file contains data which was part of an NTFS Alternate Data Stream |
| obfuscated | The file contains obfuscated code or data |
| probably-packed | A heuristic method determined that the PE file may be packed |
| overlay | The file has an overlay (appended data at the file's end) - applies only to PE files |
| password | The file is password-protected (e.g. a password-protected archive) |
| ransomware-artifact | The file contains artifacts associated with ransomware (e.g. mail addresses, domains) |
| ransomware-encrypted | The file was encrypted by known ransomware (e.g. TeslaCrypt encrypted files) |
| script | The file appears to be a script (e.g. shell or Javascript) |
| sql-query | The file contains generic SQL queries |
| ssh-key | The file can use or modify SSH keys |
| stego | The file is a result of stego extraction |
| stego-compressed | The file contains compressed embedded PE files |
| stego-embedded | The file contains plain embedded PE files |
| stego-encoded | The file contains encoded embedded PE files |
| stego-encrypted | The file contains encrypted embedded PE files |
| uri-banking-website | The file contains URLs related to banking and monetary institutions |
| uri-coinmining-domain | The file contains URLs related to coinmining services |
| uri-credentials | The file contains URLs that embed sign-in credentials in plaintext due to protocol requirements |
| uri-deceptive-file | The file contains URLs that point to executable content hidden behind double extensions |
| uri-domain-blacklisted | The file contains URLs that point to a known blacklisted domain |
| uri-domain-homoglyph | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-phishtest | The file contains URLs that are used in simulated phishing tests |
| uri-domain-punycode | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-spoofed | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-domain-typosquat | The file contains URLs that try to trick the user into thinking they are visiting a trusted domain |
| uri-dynamic-dns | The file contains URLs pointing to domains hosted on dynamic DNS |
| uri-hostname-length | The file contains URLs pointing to domains that are unusually long |
| uri-interesting-file | The file contains URLs that point to interesting files or file extensions |
| uri-ip-address | The file contains URLs pointing to webservers hosted on IP addresses |
| uri-malicious-redirect | The file contains URLs that redirect to malicious domains |
| uri-malware-regex | The file contains URLs that match a known malware regex pattern |
| uri-onion-website | The file contains URLs pointing to domains hosted on TOR network |
| uri-open-redirect | The file contains URLs that redirect to other domains |
| uri-path-length | The file contains URLs pointing to paths that are unusually long |
| uri-path-spoofed | The file contains URLs that point to a known sign-in path but don't reside on the trusted domain |
| uri-placeholder | The file contains URLs with placeholder values for access credentials |
| uri-placeholder-known | The file contains URLs with placeholder values for access credentials |
| uri-restricted | The file contains URLs that were explicitly restricted by the user |
| uri-sanctioned-eu | The file contains URLs of domains hosted in regions with EU sanctions |
| uri-sanctioned-us | The file contains URLs of domains hosted in regions with US sanctions |
| uri-security-website | The file contains URLs related to security product vendors |
| uri-shortened | The file contains shortened URLs |
| uri-subdomain-count | The file contains URLs pointing to paths that contain excessive number of subdomains |
| uri-suspicious-path | The file contains URLs that contain a suspicious path section |
| uri-suspicious-port | The file contains URLs that utilize non-standard ports for the specified protocol |
| uri-suspicious-query | The file contains URLs that include suspicious SQL query commands |
| uri-suspicious-tld | The file contains URLs pointing to domains hosted on suspicious TLDs |
Behavior tags - describe behavior of executables, documents, scripts, and mobile applications
| behavior-registry | The file can access or alter registry settings |
| behavior-copy | The file can copy or move other files |
| behavior-rename | The file can rename or move other files |
| behavior-process-start | The file can start a process or launch an action |
| behavior-shortcut | The file can create a shortcut to an existing file, application, or a command |
| behavior-remove | The file can remove other files |
| behavior-edit-ini | The file can access or modify system configuration |
| behavior-uri | The file can open or reference a URI |
| bidirectional-text | The file contains special unicode characters that influence text display order |
| account-settings-tamper | The file can tamper with user account settings |
| autorun | The file can tamper with autorun settings (e.g. autorun registry keys, autorun locations) |
| av-disable | The file can disable services related to security products |
| av-impersonate | The file can impersonate services related to security products |
| av-service-detect | The file can detect services related to security products |
| av-tamper | The file can tamper with services related to security products |
| backup-tamper | The file can tamper with backup (e.g. erases backup copies, tampers with backup settings) |
| bitlocker-tamper | The file can tamper with BitLocker settings |
| data-exfiltration | The file can exfiltrate various data (e.g. stored credentials, mailbox files, configuration data) |
| dns-tamper | The file can tamper with DNS configuration |
| dns-use | The file can use the DNS protocol (e.g. issues DNS queries, locates network services) |
| file-download | The file has the capability to download files |
| file-overwrite | The file will be overwritten by other files that share the same file path |
| file-upload | The file has the capability to upload files |
| firewall-tamper | The file can tamper with firewall settings |
| ftp-use | The file can use the FTP protocol (e.g. to upload files, to download files) |
| hosts-modifier | The file can tamper with hosts file or registry keys |
| impersonate-native | The file can impersonate native services (e.g. impersonates Windows Explorer) |
| irc-use | The file can use the IRC communication protocol |
| log-tamper | The file can tamper with logging configuration or log files |
| netntlm-hash-leak | The file contains references to SMB resources that leak NetNTLM hashes |
| network-settings-tamper | The file can tamper with network settings |
| nfs-tamper | The file can tamper with NFS settings |
| privacy-intrusion | The file has indicators related to privacy intrusion (e.g. takes screenshots, monitors users input) |
| privilege-escalation | The file has the capability to elevate user privileges |
| process-injection | The file has the capability to write into other processes |
| process-termination | The file can terminate other processes |
| proxy | The file can access or modify proxy settings |
| registry-tamper | The file can tamper with the registry |
| security-settings-tamper | The file can tamper with various security settings (e.g. security or audit policies) |
| service-disable | The file can disable services |
| smb-tamper | The file can tamper with the SMB protocol |
| startup-tamper | The file can tamper with startup settings (e.g. Windows bootup process) |
| storage-settings-tamper | The file can tamper with storage settings |
| storage-tamper | The file can tamper with external storage |
| uac-bypass | The file can bypass User Account Control |
| update-disable | The file can disable update services |
| virtualization-settings-tamper | The file can tamper with virtualization settings |
| vpn-tamper | The file can tamper with VPN settings |
| vpn-use | The file has the capability to use VPN |
| web-request | The file has the capability to generate web requests |
| wmi-use | The file can use Windows Management Instrumentation (WMI) |
Application-related tags - apply only to files with application metadata (PE, ELF, OSX, DEX, …)
| arch-mips | The file's target CPU architecture is MIPS |
| arch-powerpc | The file's target CPU architecture is PowerPC |
| arch-sparc | The file's target CPU architecture is SPARC |
| arch-x86 | The file's target CPU architecture is x86 |
| arch-x86-64 | The file's target CPU architecture is x86-64 |
| arch-arm-64 | The file's target CPU architecture is ARM64 |
| arch-arm | The file's target CPU architecture is ARM |
| codeview | The application has debugging symbols metadata |
| cui | The application uses Console User Interface subsystem (applies to PE files) |
| force-integrity | The file has integrity protection checks that prevent execution on change |
| go-binary | The file is a compiled Go executable |
| gui | The application uses Graphical User Interface subsystem (applies to PE files) |
| installer | The file is an installer package |
| installer-plugin | The file is used only temporarily to provide additional functionality during the installation procedure |
| library-ad | The application contains advertising-related libraries (e.g. Adfonic) |
| library-analytics | The application contains advertising and usage analytics-related libraries (e.g. Google Analytics) |
| library-audio | The application contains audio playback related libraries (e.g. Vorbis) |
| library-browser | The application contains browser-related libraries |
| library-cloud | The application contains cloud networking-related libraries (e.g. Dropbox) |
| library-compression | The application contains compression-related libraries (e.g. Zip) |
| library-crypto | The application contains cryptography-related libraries (e.g. OAuth) |
| library-database | The application contains database-related libraries (e.g. MySQL) |
| library-development | The application contains development-related libraries |
| library-driver | The application contains driver-related libraries |
| library-educational | The application contains education-related libraries |
| library-email | The application contains email-related libraries |
| library-entertainment | The application contains entertainment-related libraries |
| library-gaming | The application contains gaming-related libraries |
| library-graphics | The application contains drawing or rendering libraries (e.g. Unity) |
| library-messaging | The application contains network messaging-related libraries (e.g. RabbitMQ) |
| library-multimedia | The application contains multimedia-related libraries (e.g. Amazon Game Circle) |
| library-networking | The applications contains network communication-related libraries (e.g. curl) |
| library-productivity | The application contains productivity-related libraries |
| library-security | The application contains security-related libraries |
| library-social | The application contains social networking-related libraries (e.g. Facebook) |
| library-utility | The application contains programming utility libraries (e.g. ICU) |
| library-virtualization | The application contains virtualization-related libraries |
| lolbin | The file was identified as a LoLBin (living-off-the-land binary) |
| loldriver | The file was identified as a LoLDriver (living-off-the-land driver) |
| lolrmm | The file was identified as a LoLRMM (living-off-the-land Remote Monitoring and Management) tool |
| pe-bad-checksum | The executable header checksum does not match the application contents |
| plugin | The application is plugin for particular software |
| protection-aslr | The file has the Address Space Layout Randomisation exploit protection enabled |
| protection-dep | The file has the Data Execution Prevention exploit protection enabled |
| protection-ehc | The file has the Exception Handling Continuation exploit protection enabled |
| protection-cfg | The file has the Control Flow Guard exploit protection enabled |
| protection-cpy | The file has the safe memory copy protection enabled |
| protection-ret | The file has the Retpoline exploit protection enabled |
| protection-rfg | The file has the Return Flow Guard exploit protection enabled |
| protection-mpx | The file has the Intel Memory Protection guard enabled |
| protection-xfg | The file has the Extreme Flow Guard exploit protection enabled |
| protection-cet | The file has the Intel Control-Flow Enforcement Technology guard enabled |
| protection-sdl | The file has been compiled to follow the Secure Development Lifecycle guidelines |
| protection-scg | The file has the Static cast guard protection enabled |
| protection-seh | The file has safe exception handling protection enabled |
| protection-stack | The file has buffer overrun exploit protection enabled |
| packed | The application is packed with a known packer (e.g. with UPX) |
| rich-header | The application has rich header metadata (applies to PE files) |
| reproducible-build | The application has been compiled in a reproducible way which invalidates all timestamps |
| sfx | The file is a self-extracting archive (an application that embeds an archive) |
| taggant | The application has Taggant-related metadata |
| tool-hacktool | The application is used to assist hacking |
| tool-steganography | The application has steganography capabilities |
| uefi | The application is designed for the UEFI subsystem (applies to PE files) |
| uninstaller | The application is uninstaller for particular software |
| unsupported-application | The application is deprecated and no longer supported by vendor |
| updater | The application is updater for particular software |
| version-info | The application has version information metadata |
| vulnerable-with-cve | The application has vulnerability with assigned CVE |
| vulnerable-without-cve | The application has vulnerability without assigned CVE |
| xbox | The application is designed for the XBOX subsystem (applies to PE files) |
Mobile-related tags - apply only to mobile applications
| android-cupcake | The mobile application uses the Android API level 3 |
| android-donut | The mobile application uses the Android API level 4 |
| android-eclair | The mobile application uses the Android API levels 5 to 7 |
| android-froyo | The mobile application uses the Android API level 8 |
| android-gingerbread | The mobile application uses the Android API levels 9 to 10 |
| android-honeycomb | The mobile application uses the Android API levels 11 to 13 |
| android-ice-cream-sandwich | The mobile application uses the Android API levels 14 to 15 |
| android-jelly-bean | The mobile application uses the Android API levels 16 to 18 |
| android-kitkat | The mobile application uses the Android API levels 19 to 20 |
| android-lollipop | The mobile application uses the Android API levels 21 to 22 |
| android-marshmallow | The mobile application uses the Android API level 23 |
| android-nougat | The mobile application uses the Android API levels 24 to 25 |
| android-oreo | The mobile application uses the Android API levels 26 to 27 |
| android-pie | The mobile application uses the Android API level 28 |
| android-10 | The mobile application uses the Android API level 29 |
| android-11 | The mobile application uses the Android API level 30 |
| mobile | The file appears to be a mobile application (e.g. Android APK or Windows Phone applications) |
| mobile-custom-permissions | The mobile application has user-defined permissions |
| mobile-data-access | The mobile application can read and write to the external storage on the device |
| mobile-deprecated | The mobile application can abuse permissions from deprecated APIs |
| mobile-gps | The mobile application can access location services |
| mobile-infostealer | The mobile application can access and read information such as call logs, contacts, calendars... |
| mobile-logging | The mobile application can read and modify call logs |
| mobile-settings | The mobile application can change system settings on the device |
| mobile-sms | The mobile application can read, write, or receive SMS messages |
| mobile-telco | The mobile application can access and use the telecom connection service |
| mobile-voicemail | The mobile application can access and send voicemail messages |
Malware tags - identify malware types and refer to other malware metadata
| backdoor | The malware was identified as a backdoor |
| c2 | The malware has an embedded malware/data configuration (e.g. C2 info or mutex) |
| custom-packed | The file appears to be packed with a custom packer |
| downloader | The malware was identified as a downloader |
| keylogger | The malware was identified as a keylogger |
| pos | The malware was identified as a point-of-sale malware |
| ransomware | The malware was identified as ransomware |
| threat-hunting-npm | The file is similar to known malicious packages published on NPM repository |
| threat-hunting-pypi | The file is similar to known malicious packages published on PyPI repository |
Packer tags - refer to packer-related metadata
| antidebugging | The file uses anti-debugging techniques |
| antidumping | The file uses anti-dumping techniques |
| antiemulation | The file uses anti-emulation techniques |
| antisandbox | The file uses anti-sandbox techniques |
| antitracing | The file uses anti-tracing techniques |
| fake-signature | The file uses fake signatures to thwart signature-based identification |
| import-elimination | The packed file eliminates or has eliminated its import information |
| import-redirection | The packed file redirects imports to make unpacking harder |
| pe-compression | The file has a compressed payload/configuration |
| pe-encryption | The file has an encrypted payload/configuration |
| pe-encryption-rc4 | The file uses RC4 to encrypt the payload/configuration |
| pe-encryption-tea | The file uses TEA to encrypt the payload/configuration |
| polymorphic | The file was packed with a polymorphic packer |
| remove-ep | The packed file has a stolen original entry point |
| remove-header | The packed file removes the PE header during unpacking to make unpacking harder |
| tamper-protection | The file checks for signs of modification to make unpacking harder |
Browser tags - refer to browser-related metadata
| brave-reference | The file contains references to Brave or Brave-related data (e.g. accesses settings, contains Brave user agent strings) |
| chrome-reference | The file contains references to Chrome or Chrome-related data (e.g. accesses settings, contains Chrome user agent strings) |
| chrome-tamper | The file can tamper with Chrome or Chrome-related settings (e.g. performs process injection into the Chrome executable) |
| chromium-reference | The file contains references to Chromium or Chromium-related data (e.g. accesses settings, contains Chromium user agent strings) |
| chromium-tamper | The file can tamper with Chromium or Chromium-related settings (e.g. performs process injection into the Chromium executable) |
| edge-reference | The file contains references to Microsoft Edge or Microsoft Edge-related data (e.g. accesses settings, contains Microsoft Edge user agent strings) |
| firefox-reference | The file contains references to Firefox or Firefox-related data (e.g. accesses settings, contains Firefox user agent strings) |
| firefox-tamper | The file can tamper with Firefox or Firefox-related settings (e.g. performs process injection into the Firefox executable) |
| internet-explorer-reference | The file contains references to Internet Explorer or Internet Explorer-related data (e.g. accesses settings, contains Internet Explorer user agent strings) |
| internet-explorer-tamper | The file can tamper with Internet Explorer or Internet Explorer-related settings (e.g. performs process injection into the Internet Explorer executable) |
| netscape-reference | The file contains references to Netscape or Netscape-related data (e.g. accesses settings, contains Netscape user agent strings) |
| netscape-tamper | The file can tamper with Netscape or Netscape-related settings (e.g. performs process injection into the Netscape executable) |
| opera-reference | The file contains references to Opera or Opera-related data (e.g. accesses settings, contains Opera user agent strings) |
| opera-tamper | The file can tamper with Opera or Opera-related settings (e.g. performs process injection into the Opera executable) |
| safari-reference | The file contains references to Safari or Safari-related data (e.g. accesses settings, contains Safari user agent strings) |
| safari-tamper | The file can tamper with Safari or Safari-related settings (e.g. performs process injection into the Safari executable) |
| seamonkey-reference | The file contains references to SeaMonkey or SeaMonkey-related data (e.g. accesses settings, contains SeaMonkey user agent strings) |
| vivaldi-reference | The file contains references to Vivaldi or Vivaldi-related data (e.g. accesses settings, contains Vivaldi user agent strings) |
| waterfox-reference | The file contains references to Waterfox or Waterfox-related data (e.g. accesses settings, contains Waterfox user agent strings) |
| yandex-reference | The file contains references to Yandex or Yandex-related data (e.g. accesses settings, contains Yandex user agent strings) |
Classification tags - apply only to classified files
| cert-blacklisted | The file was digitally signed with a blacklisted certificate |
| cert-whitelisted | The file was digitally signed with a whitelisted certificate |
| cloud | The file was classified by ReversingLabs Malware Presence (e.g. the hash is a well-known threat) |
| sandbox | The file was classified by ReversingLabs Cloud Sandbox (e.g. the hash is a well-known threat) |
| exploit | The file was classified by Spectra Core exploit detection from an unpacker or a validator (e.g. RTF) |
| graylisting | The file was classified by graylisting (e.g. an archive containing only text files) |
| hierarchy-analyzer | The file was classified by Spectra Core file hierarchy analysis (e.g. embedded executables within a document format) |
| image-analyzer | The file was classified by Spectra Core image analyzer (e.g. suspicious data was found within an image) |
| ricc | The file was classified by Spectra Core RICC (e.g. RHA classification, RICC rule classifications) |
| signature | The file was classified by Spectra Core signature |
| antivirus | The file was classified by an AntiVirus component |
| ng-antivirus | The file was classified by a NextGen AntiVirus component |
| yara | The file was classified by a YARA rule |
Capability tags - refer to capabilities of executables, documents, and mobile applications
| capability-advertising | The file has advertising-related capabilities (e.g. AdMob) - applies to documents and mobile formats |
| capability-bluetooth | The file can use Bluetooth to communicate with other devices - mobile-specific tag |
| capability-camera | The file has access to the camera - applies to documents and mobile formats |
| capability-cryptography | The file has cryptography-related capabilities (e.g. it can encrypt or hash data and files) |
| capability-deprecated | The file uses deprecated APIs |
| capability-embeds | The file has other files embedded within (e.g. an iframe or an OLE object) - document-specific tag |
| capability-execution | The file has execution-related capabilities (e.g. an application can spawn new processes or threads) |
| capability-filesystem | The file has filesystem-related capabilities (e.g. it can open and read files) |
| capability-identification | The file has access to user or device identity - mobile-specific tag |
| capability-microphone | The file has access to the microphone - applies to documents and mobile formats |
| capability-networking | The file has networking-related capabilities (e.g. it can open a socket and send/receive data) |
| capability-nfc | The file can use Near Field Communication (NFC) to communicate with other devices - mobile-specific tag |
| capability-scripting | The file uses a scripting language (e.g. a document contains and uses macros) - document-specific tag |
| capability-security | The file has security-related capabilities |
| capability-social | The file has access to social components or providers (e.g. Facebook) - applies to documents and mobile formats |
| capability-undocumented | The file uses undocumented functions |
| capability-vpn | The file can access VPNs - mobile-specific tag |
| capability-wallet | The file has access to user's wallet - mobile-specific tag |
Indicator tags - refer to indicators found in executables, documents, scripts, and mobile applications
An indicator tag will be emitted by Spectra Core only if the priority of a particular indicator is not low (i.e. priority > 3).
| indicator-anomaly | The file contains unusual characteristics (e.g. contains known whitelisted executable filenames) |
| indicator-autostart | The file tampers with autostart settings (e.g. tampers with autorun locations) |
| indicator-behavior | The file automatically executes activities as a user (e.g. changes username or password, prints a document) |
| indicator-disable | The file disables system services (e.g. tampers with Windows Update) |
| indicator-document | The file exhibits unusual activities when handling documents (e.g. PDF that creates new documents) |
| indicator-evasion | The file tries to evade common debuggers, sandboxes or analysis tools (e.g. VM environment detection) |
| indicator-execution | The file creates other processes or starts other applications (e.g. creates a service, installs system drivers) |
| indicator-exploit | The file contains known exploits against the system |
| indicator-family | The file is associated with known malicious families |
| indicator-file | The file accesses other files on the filesystem in an unusual way (e.g. creates a cryptographic hash of file contents) |
| indicator-flow | The file leaks sensitive information to external hosts or creates new files with sensitive data (e.g. exports PDF form fields to files) |
| indicator-macro | The file contains or executes macro functions or scripts (e.g. contains UNIX shell scripts, executes actions associated with bookmarks) |
| indicator-memory | The file tampers with memory of foreign processes (e.g. does process injection) |
| indicator-monitor | The file has the ability to monitor host activities (e.g. accesses a list of logged on users) |
| indicator-network | The file has network-related indicators (e.g. downloads a file, tampering with DNS settings) |
| indicator-packer | The file contains obfuscated or encrypted code or data (e.g. base64 encoded streams) |
| indicator-payload | The file extracts and launches new behavior in an unusual way (e.g. injects CSS into a page) |
| indicator-permissions | The file tampers with or request additional permissions for execution (e.g. tampers with user/account privileges) |
| indicator-registry | The file accesses registry and configuration files in an unusual way (e.g. tampers with Windows registry settings) |
| indicator-search | The file enumerates or collects information from a system (e.g. enumerates network shares or mounted drives) |
| indicator-settings | The file accesses or tampers with system settings (e.g. enumerates system information) |
| indicator-signature | The file matches a known signature (e.g. contains known compression libraries, HTTP header fields) |
| indicator-steal | The file steals and leaks sensitive information (e.g. accesses Outlook account information and address book) |
| indicator-stealth | The file tries to hide its presence (e.g. tampers with window transparency settings, tampers with firewall settings) |
String tags - related to Spectra Core interesting strings
| string-file | The file contains interesting strings related to the file URI scheme |
| string-scp | The file contains SCP-related interesting strings |
| string-callto | The file contains interesting strings related to the CallTo communication protocol |
| string-h323 | The file contains interesting strings related to the H.323 multimedia communication protocol |
| string-webcal | The file contains interesting strings related to iCalendar files |
| string-ftp | The file contains FTP-related interesting strings |
| string-http | The file contains HTTP-related interesting strings |
| string-https | The file contains HTTPS-related interesting strings |
| string-mailto | The file contains mailto-related interesting strings |
| string-sftp | The file contains SFTP-related interesting strings |
| string-sip | The file contains SIP-related interesting strings |
| string-ssh | The file contains SSH-related interesting strings |
| string-telnet | The file contains Telnet-related interesting strings |
Compression and crypto tags - related to identified compression and crypto content
| compression-aplib | The file has content related to APLib compression algorithm |
| compression-asdpack | The file has content related to ASDPack compression algorithm |
| compression-aspack | The file has content related to ASPack compression algorithm |
| compression-brieflz | The file has content related to BriefLZ compression algorithm |
| compression-brotli | The file has content related to Brotli compression algorithm |
| compression-bzip2 | The file has content related to BZip2 compression algorithm |
| compression-deflate | The file has content related to Deflate compression algorithm |
| compression-dicky | The file has content related to Dicky compression algorithm |
| compression-ffce | The file has content related to FFCE compression algorithm |
| compression-gipfeli | The file has content related to Gipfeli compression algorithm |
| compression-gzip | The file has content related to GZip compression |
| compression-inflate | The file has content related to Inflate compression algorithm |
| compression-jcalg | The file has content related to JCAlg compression algorithm |
| compression-lz4 | The file has content related to LZ4 compression algorithm |
| compression-lzbrs | The file has content related to LZBRS compression algorithm |
| compression-lzfse | The file has content related to LZFSE compression algorithm |
| compression-lzhuf | The file has content related to LZHUF compression algorithm |
| compression-lzma | The file has content related to LZMA compression algorithm |
| compression-lzmat | The file has content related to LZMAT compression algorithm |
| compression-lznt | The file has content related to LZNT compression algorithm |
| compression-lzo | The file has content related to LZO compression algorithm |
| compression-lzrw | The file has content related to LZRW compression algorithm |
| compression-lzss | The file has content related to LZSS compression algorithm |
| compression-ncompress42 | The file has content related to Ncompress42 compression algorithm |
| compression-neolite | The file has content related to NeoLite compression algorithm |
| compression-nrv | The file has content related to NRV compression algorithm |
| compression-pithy | The file has content related to Pithy compression algorithm |
| compression-pkzip | The file has content related to PKZIP compression algorithm |
| compression-pucrunch | The file has content related to Pucrunch compression algorithm |
| compression-snappy | The file has content related to Snappy compression algorithm |
| compression-unlzx | The file has content related to UnLZX compression algorithm |
| compression-unrarlib | The file has content related to unrarlib compression algorithm |
| compression-zip | The file has content related to Zip compression |
| compression-zlib | The file has content related to Zlib compression algorithm |
| compression-zstd | The file has content related to Zstd compression algorithm |
| crypto-acss | The file has content related to ACSS algorithm |
| crypto-adler-crc32 | The file has content related to Adler-32 algorithm |
| crypto-aegis | The file has content related to the AEGIS block cipher |
| crypto-aria | The file has content related to the ARIA block cipher |
| crypto-base32 | The file has content related to Base32 algorithm |
| crypto-base64 | The file has content related to Base64 algorithm |
| crypto-base64url | The file has content related to Base64URL algorithm |
| crypto-bcrypt | The file has content related to BCrypt algorithm |
| crypto-bhencode | The file has content related to Bhencode algorithm |
| crypto-blake | The file has content related to Blake algorithm |
| crypto-blowfish | The file has content related to Blowfish algorithm |
| crypto-bmw512 | The file has content related to BMW-512 algorithm |
| crypto-botan | The file has content found in Botan cryptography library |
| crypto-camellia | The file has content related to Camellia algorithm |
| crypto-cast | The file has content related to CAST algorithm |
| crypto-cast256 | The file has content related to CAST-256 algorithm |
| crypto-chacha20-poly1305 | The file has content related to the ChaCha20-Poly1305 stream cipher |
| crypto-clefia | The file has content related to CLEFIA algorithm |
| crypto-collision | The file contains blocks used in SHA-1 collision attacks |
| crypto-crc32 | The file has content related to CLEFIA algorithm |
| crypto-cryptlib | The file has content found in Cryptlib cryptography library |
| crypto-cryptopp | The file has content found in Cryptopp (Crypto++) cryptography library |
| crypto-des | The file has content related to DES algorithm |
| crypto-desx | The file has content related to DESX algorithm |
| crypto-dh | The file has content related to the Diffie-Hellman (DH) key exchange |
| crypto-dhe | The file has content related to the Diffie-Hellman Ephemeral (DHE) key exchange |
| crypto-dsa | The file has content related to Digital Signature Algorithm (DSA) |
| crypto-ecc | The file has content related to Elliptic-curve cryptography (ECC) |
| crypto-ecdh | The file has content related to the Elliptic-curve Diffie-Hellman (ECDH) key exchange |
| crypto-ecdhe | The file has content related to the Elliptic-curve Diffie-Hellman Ephemeral (ECDHE) key exchange |
| crypto-ecdsa | The file has content related to the Elliptic Curve Digital Signature Algorithm (ECDSA) |
| crypto-frog | The file has content related to FROG algorithm |
| crypto-gnupg | The file has content found in GnuPG cryptography library |
| crypto-gnutls | The file has content found in GnuTLS cryptography library |
| crypto-gost | The file has content related to GOST algorithm |
| crypto-haval | The file has content related to HAVAL algorithm |
| crypto-hmac | The file has content related to HMAC algorithm |
| crypto-idea | The file has content related to the IDEA block cipher |
| crypto-ike | The file has content related to Internet Key Exchange (IKE) |
| crypto-kasumi | The file has content related to KASUMI algorithm |
| crypto-keccak | The file has content related to Keccak algorithm |
| crypto-krb5 | The file has content related to the KRB5 key exchange |
| crypto-kuznyechik | The file has content related to the Kuznyechik block cipher |
| crypto-magma | The file has content related to the Magma block cipher |
| crypto-mars | The file has content related to MARS algorithm |
| crypto-md2 | The file has content related to MD2 algorithm |
| crypto-md4 | The file has content related to MD4 algorithm |
| crypto-md5 | The file has content related to MD5 algorithm |
| crypto-md5mac | The file has content related to MD5-MAC algorithm |
| crypto-misty1 | The file has content related to Misty1 algorithm |
| crypto-misty2 | The file has content related to Misty2 algorithm |
| crypto-nacl | The file has content found in NaCl cryptography libray |
| crypto-nettle | The file has content found in Nettle cryptography library |
| crypto-noekeon | The file has content related to NOEKEON algorithm |
| crypto-nss | The file has content found in NSS cryptography library |
| crypto-nush | The file has content related to NUSH algorithm |
| crypto-openbsd-base64 | The file has content related to OpenBSD Base64 algorithm |
| crypto-openssl | The file has content found in OpenSSL cryptography library |
| crypto-pbkdf2 | The file has content related to PBKDF2 algorithm |
| crypto-pkcs | The file has content related to Public Key Cryptography Standards (PKCS) |
| crypto-psk | The file has content related to PSK (Pre-Shared Key) algorithms |
| crypto-rawdes | The file has content related to RawDES algorithm |
| crypto-rc2 | The file has content related to RC2 algorithm |
| crypto-rc4 | The file has content related to RC4 algorithm |
| crypto-rijndael | The file has content related to AES (Rijandel) algorithm |
| crypto-ripemd128 | The file has content related to RIPEMD-128 algorithm |
| crypto-ripemd160 | The file has content related to RIPEMD-160 algorithm |
| crypto-ripemd160mac | The file has content related to RIPEMD-160-MAC algorithm |
| crypto-ripemd256 | The file has content related to RIPEMD-256 algorithm |
| crypto-ripemd320 | The file has content related to RIPEMD-320 algorithm |
| crypto-rsa | The file has content related to RSA algorithm |
| crypto-rtss | The file has content related to Robust Threshold Secret Sharing (RTSS) |
| crypto-safer | The file has content related to SAFER algorithm |
| crypto-salsa20 | The file has content related to Salsa20 algorithm |
| crypto-seed | The file has content related to SEED algorithm |
| crypto-serpent | The file has content related to Serpent algorithm |
| crypto-sha1 | The file has content related to SHA-1 algorithm |
| crypto-sha1mac | The file has content related to SHA-1-MAC algorithm |
| crypto-sha224 | The file has content related to SHA-224 algorithm |
| crypto-sha224mac | The file has content related to SHA-224-MAC algorithm |
| crypto-sha256 | The file has content related to SHA-256 algorithm |
| crypto-sha256mac | The file has content related to SHA-256-MAC algorithm |
| crypto-sha3-224mac | The file has content related to SHA3-224-MAC algorithm |
| crypto-sha3-256mac | The file has content related to SHA3-256-MAC algorithm |
| crypto-sha3-384mac | The file has content related to SHA3-384-MAC algorithm |
| crypto-sha3-512mac | The file has content related to SHA3-512-MAC algorithm |
| crypto-sha384 | The file has content related to SHA-384 algorithm |
| crypto-sha384mac | The file has content related to SHA-384-MAC algorithm |
| crypto-sha512 | The file has content related to SHA-512 algorithm |
| crypto-sha512mac | The file has content related to SHA-512-MAC algorithm |
| crypto-shark | The file has content related to Shark algorithm |
| crypto-siphash | The file has content related to SipHash algorithm |
| crypto-skein | The file has content related to Skein algorithm |
| crypto-skipjack | The file has content related to Skipjack algorithm |
| crypto-sm3 | The file has content related to the SM3 hash function |
| crypto-sms4 | The file has content related to SMS4 algorithm |
| crypto-sosemanuk | The file has content related to Sosemanuk algorithm |
| crypto-square | The file has content related to Square algorithm |
| crypto-srp | The file has content related to the SRP (Secure Remote Password) key exchange |
| crypto-tiger | The file has content related to Tiger algorithm |
| crypto-tripledes | The file has content related to TripleDES algorithm |
| crypto-turing | The file has content related to Turing algorithm |
| crypto-twofish | The file has content related to Twofish algorithm |
| crypto-unicorn | The file has content related to Unicorn algorithm |
| crypto-uuencode | The file has content related to UUencode algorithm |
| crypto-wake | The file has content related to Wake algorithm |
| crypto-whirlpool | The file has content related to Whirlpool algorithm |
| crypto-x509 | The file has content related to X.509 standard |
| crypto-xxencode | The file has content related to XXencode algorithm |
Email specific tags - related to email content
| disposable-email | Email is hosted by a service that offers disposable email addresses |
| email-deceptive-sender | The display name of one of the senders contains a string resembling an email address with a domain different from the specified email address |
| email-returnpath-mismatch | The "Return-Path" header contains an email address with a domain that is different from the domain of the sender |
| email-replyto-mismatch | The "Reply-To" header contains an email address with a domain that is different from the domain of the sender |
| email-sender-mismatch | The "Sender" header contains an email address with a domain that is different from the domain specified in the "From" header |
| email-envelopefrom-mismatch | The "X-Envelope-From" header contains an email address with a domain that is different from the domain of the sender |
| email-receivedtime-mismatch | The "Date" header indicates a time that is in the future or more than 1 hour before the time specified in the "Received" header |
| email-spf-fail | Headers indicate that the SPF (Sender Policy Framework) check has failed |
| email-dkim-fail | Headers indicate that the DKIM (Domain Keys Identified Mail) check has failed |
| email-dmarc-fail | Headers indicate that the DMARC (Domain-based Message Authentication, Reporting & Conformance) check has failed |
| email-pgp | Email is signed and/or encrypted using "Pretty Good Privacy" |
| email-smime | Email is signed and/or encrypted using "Secure/Multipurpose Internet Mail Extensions" |
| email-attachment | Email contains at least one attachment |
| email-deceptive-extension | Email attachment contains multiple extensions (eg. "file.doc.exe") |
| email-body-plain | Content of email body is available in plain text format |
| email-body-rtf | Content of email body is available in RTF format |
| email-body-html | Content of email body is available in HTML format |
| email-impersonation | The display name of one of the senders impersonates a popular service |
| email-signature-impersonation | Email contents impersonate an email commonly sent by a popular service |
| email-urgency | Email contains multiple phrases that imply a sense of urgency |
| email-sensitive-topic | Email contains multiple phrases related to sensitive topics |
| email-hidden-text | Email contains a hidden block of text designed to trick classification systems |
| email-subject-spam | Email subject contains phrases common to spam messages |
| email-subject-phishing | Email subject is commonly used in phishing messages |
| email-anonymous-provider | Email is sent using an anonymous email provider |
Format specific tags - apply only specific file formats
| html-frame | The HTML file contains one or more IFRAME tags |
| html-form | The HTML file contains one or more FORM tags |
| html-input | The HTML file contains one or more INPUT tags |
| html-password | The HTML file contains one or more tags with the "password" attribute |
| html-image | The HTML file contains one or more IMAGE tags |
| html-canvas | The HTML file contains one or more CANVAS tags |
| html-object | The HTML file contains any of the following tags: APPLET, AUDIO, EMBED, OBJECT, SOURCE, VIDEO |
| html-download | The HTML file contains one or more links with the "download" attribute |
| html-local-link | The HTML file contains one or more links to local files |
| html-tracking | The HTML file contains one or more tracking pixels |
| html-popup | The HTML file contains an A tag with target="_blank" attribute |
| html-wsffile | The HTML file contains an A tag with href="jsffile:..." or href="wsffile:..." or href="wsfhile:..." |
| font-embedded | The HTML file contains embedded fonts |
| deceptive-link | The HTML file contains potentially deceptive links |
| platform-unix | The quarantine file was created by a security solution running on a UNIX-like operating system |
| platform-windows | The quarantine file was created by a security solution running on the Microsoft Windows operating system |
| quarantine-manual | The quarantine file was added to the quarantine manually by a user, not as a result of an automatic detection by the security solution |
| quarantine-malicious-content | The quarantine file contains any number of remediated malicious content associated with a detected threat |
| quarantine-threat-metadata | The quarantine file contains metadata describing the antivirus specific threat which triggered the remediation |
| version-control-artifact | The file is part of a control structure for a version control repository (e.g. an index or revision data) |