Sample Details Summary

The Report Summary page highlights the most interesting information from the sample analysis report. It contains several sections with links to more detailed information. Some parts of the page (e.g. threat name, file format, etc.) are clickable links that, when clicked, automatically perform search queries.

The information on the Summary page will be different for every sample analyzed on the appliance, depending on the file type and classification status.

For more information on interpreting the Sample Summary page, visit the How to interpret analysis results? section.

The sample summary landing page starts with a header section. Its background will be colored according to the sample’s classification, and it contains the most important information about the analyzed file. The top left corner shows the final classification of the file.

In case of goodware files, this text will be supplemented by labels explaining the risk score and the source of this sample:

• 0, 1 - Whitelisted / Reputable Origin
• 2, 3 - Likely Benign / Public Origin
• 4 - Not a Known Threat / Unverified Origin
• 5 - Not a Known Threat / Origin Unknown

Individual tiles inside the header further explain the classification source, the sample’s risk factor and provide other information relevant to understanding the final classification result.

1. Threat Type / Risk Score

   This tile shows the final classification of the sample. If a sample is goodware, its Risk Score will be in the 0 - 5 range. For suspicious and malicious files, the risk score will be in the 6 - 10 range. Risk scores depend on the severity of the threat, meaning that threats like adware get risk scores of 6, and ransomware gets a risk score of 10. In addition to the risk score, this tile will also show the type of the detected threat. The full name of the detected threat, formatted using the ReversingLabs Malware Naming standard is located in the top right of the sample summary header (5)

2. Classification Reason

   The ReversingLabs classification algorithm uses a number of techniques and classifiers to detect threats. This tile shows the classifier that caused the final classification of the sample. More information about classification reasons can be found in the Threat Classification Descriptions section.

3. Multi-Scanner Count

   The number of AV detections for this sample. If the appliance administrator configured some scanners of interest, their detections will be displayed in the footer of this tile. Clicking the link in the footer opens the list of monitored scanners and their individual detections. Unknown samples will not have this footer section, unless there were detections by configured scanners.

   For files classified as malicious/suspicious, there are 4 possible states:

   1. All selected/configured AV scanners have detected a threat at the time of submission (“Threat detected by all configured scanners.”).
   2. All selected/configured AV scanners have detected a threat, but not at the time of submission (“Threat NOT initially detected by configured scanners!”).
   3. None or not all of the selected/configured AV scanners have detected a threat (“Threat NOT detected by some configured scanners!”)
   4. No data is available for AV scanners (“No scanner data is available.”).

   For files classified as goodware, there are 4 possible states:

   1. Any or all of the selected/configured AV scanners have detected a goodware file (“Goodware file has configured scanner detections!”).
   2. Any or all of the selected/configured AV scanners had detections in the past (“Goodware file had configured scanner detections!”).
   3. None of the selected/configured AV scanners have detected a goodware file (“Goodware file has no configured scanner detections.”).
   4. No data is available for AV scanners (“No scanner data is available.”).

   For files classified as unknown, there are 3 possible states:

   1. Any or all of the selected/configured AV scanners have detected a threat.
   2. Any or all of the selected/configured AV scanners have detected a threat, but there were also detections in the past (“Configured scanners had detections.”).
   3. No data is available for AV scanners.

4. MITRE ATT&CK Framework

   During analysis, some Spectra Core indicators are mapped to MITRE threat IDs. This tile shows the top 3 detected MITRE ATT&CK tactics for this sample. Clicking the See Full Details link will scroll the page to the full MITRE ATT&CK report. For samples without indicators, this tile will only show “No Indicators”.

5. File name of the sample (on the left), the full threat name, first and last seen dates (on the right). ReversingLabs Malware Naming Standard.

6. File size, type, and format of the sample determined by Spectra Core static analysis.

The rest of the Report Summary page is broken into multiple tabs containing more information about the sample. Tab sections containing a large amount of entries will be paginated, and can be navigated using the arrow buttons in the top right corner of the section.

Sample Details Tab

Tags and Uploads - lists a sample’s System and User Tags. Clicking the Add link opens a dialog where it is possible to add tags to the sample. Each tag is clickable and, when clicked, automatically performs a search query for samples based on the selected tag.

Capabilities are displayed as a horizontal bar with icons, but only for supported file formats.

The same information can be found in the Static Analysis > FileType > Capabilities section.

Hash values for the sample. Hovering over any of the hashes displays a button to copy the hash to clipboard.

MD5, SHA1 and SHA256 are shown by default, and the section can be expanded to show the remaining hashes (IMPHASH, SHA256, SHA512, SSDEEP, TLSH). Hovering over hash values displays a tooltip button that can be clicked to copy the hash to the clipboard.

Malware Description / Sample Description shows a short textual summary (“Storyteller”) that describes the sample’s properties in a user-friendly language. The Storyteller can contain links provided by Spectra Core. Each link leads to the Advanced Search page, automatically performing a search query for samples based on the selected IOC. Links are also part of the exported PDF report (except those leading outside of the Spectra Analyze instance).

In addition to the Storyteller, this section contains the same malware family/type description from the Threat Intelligence Cards on the Advanced Search results page. Clicking the See Full Details link in the section header opens the Advanced Search results page for the sample’s threat name.

If a sample is not malware, this section is titled Sample Description, and does not contain threat intelligence information about malware type or family. Storyteller text is present in all cases.

Comments

This section displays comments that have been added to a sample, either by the user who uploaded it or by other users. The appliance can also automatically add comments to a sample; for example, when a user manually changes its classification.

How We Caught This

File classifications - displayed for samples that have been classified as suspicious or malicious. The Threat Name information indicates which threat names and classification statuses the sample has received from which classifier. The File information indicates the files within the sample that have been classified with each status and threat name. Clicking a link under File opens the Sample Details page for the selected file.

Prevalence

The graphs in the Prevalence section track the history of malware detections for the sample. The first graph, Antivirus Scans, shows the percentage of AV scanners that have detected the malware over time. The Malware Prevalence graph shows how many overall samples have been detected as belonging to the malware family over the last N months, with the total number of unique samples shown underneath it. Hovering over the dots in the graph displays the exact dates and the amount of detections for each date. The Total amount displayed below the graph refers to the current month.

The Uploads list shows the users who have uploaded the sample, and the number of times the sample has been uploaded. Clicking the number redirects to a search results page with all upload records of this particular sample.

The next part of the Summary page contains information about malware prevalence and the results of the RHA File Similarity (RHA File Similarity) analysis, extracted files and the timeline.

Extracted Files

The Extracted Files section displays the information about the number and type of file(s) extracted from the sample. If a sample has no extracted files, this section is not displayed at all. If there have been issues while extracting the file, this is indicated by “Failed” and “Partial” status labels on the right side.

Additional sections

Additional sections may be present on the Summary page depending on the metadata extracted from the sample during analysis:

• Files with indicators
• Files with signatures
• Files with descriptions
• YARA matches - displayed if the sample matches any of the YARA rules on the appliance.
• Network references - samples analyzed by dynamic analysis services can have a Network connections section. Clicking any link in the File column redirects to the Interesting strings section of the file associated with that network reference.

• Embedded scripts - offers quick access to the contents of scripts found in the sample. The “eye” icon next to each script opens the floating File Preview dialog. Clicking any of the links (embedded script names) in the File column opens the Sample Details page for that script.

• Malware configurations - samples with detected malware configurations will have a section with URI stats. Clicking any of the URIs opens the search results page for that URI.

Analysis Results

ReversingLabs Analysis is a collapsible table showing an overview of sample processing activities and results.

The table records and displays the last time when the sample was (re)analyzed by ReversingLabs services - Static Analysis (Spectra Core), Threat Intelligence (Spectra Intelligence) and the ReversingLabs Cloud Sandbox (dynamic analysis).

The method that resulted in the final classification of the sample will be highlighted in the appropriate classification color and marked as the Decisive Classification Reason.

This table is collapsed by default, unless processing is still taking place, the sample is missing Spectra Intelligence results, or there is a special point of interest like the sample classification coming from a Local / Spectra Intelligence user override, an extracted file or from goodware overrides.

When applicable, these special/additional classification reasons will be highlighted in a colored bar at the top of the table.

Depending on the current status of the sample and the last analysis time, the table will offer useful suggestions, indicators and possible error messages. For example, it will display a message if Spectra Core was updated to a newer version since the last analysis, if the sample might have outdated Spectra Intelligence classification data, or if the file type is not supported by the Cloud Sandbox.

The far right of the column contains context-dependent buttons for reanalyzing the sample, uploading it to the cloud, or accessing the Spectra Intelligence configuration page. Sample classification can be manually changed by clicking the OVERRIDE button in the top right corner of the table. See Setting Custom Classifications for more information.

If the appliance detects a possible discrepancy between the Spectra Core and Spectra Intelligence classification results, it will automatically submit the sample for reanalysis. This functionality is available only when the Enable ReversingLabs File Reputation option is active in Administration ‣ Configuration ‣ Spectra Detect Processing Settings. The classification will not necessarily change after reanalysis.

Keep in mind that samples previously processed by Spectra Intelligence will still retain their analysis result in the table even after Spectra Intelligence configuration is disabled on the appliance

Integrations Analysis is a collapsible table showing an overview of dynamic analysis services and results. Items in this section do not affect the final classification of the sample, but can be useful as additional sources of metadata.

The table records and displays the last time when the sample was (re)analyzed by integrated dynamic analysis services, if any are configured. The far right of each table row contains context-dependent buttons for reanalyzing the sample or, if the service is not configured, accessing the configuration page for the respective service.

Timeline

The Timeline provides a historical overview of activities performed on the sample. It records the dates when the sample was first seen by Spectra Intelligence and on the local appliance, when it was classified by Spectra Core, (re)analyzed by static or dynamic analysis services, and more. The same information can be found in the Timeline section accessible from the navigation sidebar.

MITRE ATT&CK

MITRE ATT&CK is a section mapping indicators detected by Spectra Core to MITRE threat IDs. This section can be displayed for all samples regardless of their classification status (malicious/suspicious/known/unknown), as long as they have indicators that can be appropriately mapped to the ATT&CK framework. Samples without indicators will not have this section on their Sample Details page at all.

The section lists MITRE tactics in the table header. MITRE techniques are grouped under each tactic. Every technique can be clicked to show Spectra Core indicators mapped to it (which can then be clicked to run an Advanced Search for samples with those same indicators). The table can be further filtered to show all techniques or just the detected ones, and technique IDs can be either displayed or hidden.

Relationship Graph [PREVIEW]

The relationship graph is a visualization of various relationships the sample in question has to other resources. The graph can be navigated using the mouse by clicking and dragging to move around the canvas, or by scrolling to zoom in or out.

The icon in the center of the graph represents the current sample. This sample node is directly connected to control nodes, each representing a distinct type of relationship. Control nodes serve as the entry points for users to explore specific aspects of the data.

They are visualized as color-coded pie charts, showing the amount of subnodes per classification: Goodware, Suspicious, Malware, or Unknown. The exception are Dropped files which can be classified as: No Threats Found, Suspicious, or Malicious. Switching to the Relationships Graph tab immediately displays up to 20 subnodes for every Control Node.

The control nodes are:

• Dropped files
• Extracted Files
• Parents and Sources
• (RHA) Similarity
• Static Network References
• Dynamic Network References
• Network References

Users can interact with nodes by selecting, pinning or unpinning them. Left-click on a node to select it. A sidebar opens on the right side of the canvas, providing information on that specific node.

The information and actions in the sidebar varies depending on the type of node that is being selected.

For example, control nodes have statistics about all of its subnodes, extracted file nodes contain information such as file reputation, threat names and file type, while network references subnodes contain information on the network resource in question, such as third party reputations and the classification reason. If the information is available, network reference nodes on the graph will be drawn using the country where the resource originated from.

To load more subnodes, select a control node and click one of the actions: All, Top 20 or Show more.

To pin a node, drag it into any position on the empty canvas. Pinned nodes remain static in the graph, even when other interactions or expansions occur, allowing users to maintain focus on specific elements. To unpin nodes, select their control node and click one of the Unpin actions in the sidebar: Node, Children, or Both.

Highlighted and underlined items in the sidebar can be clicked to navigate to a different sample summary page, or to perform an advanced search query.

Network Threat Intelligence

The Network Threat Intelligence sample details pages are reserved for URLs, IP addresses and domains. They can be accessed by clicking any submission recognized as a URL submisson on the Search Page, by clicking the Network Threat Intelligence link in the Sample Summary header of samples that correlate to some network resource, or by clicking the Network Threat Intelligence link that is displayed in the search box if the search query contains a single URI.

The report summary section is an overview of all information available for a specific network resource, with additional information accessible using the sidebar menu.

The Network Threat Intelligence sidebar menu section contains the following items:

• URL Analysis

  Contains the top threats found on the URL, as well as historical data for that URL. This data comes from the ReversingLabs Network Threat Intelligence API.

• Domain Analysis

  Contains the top threats found on the domain, as well as historical data for that domain. This data comes from the ReversingLabs Domain Threat Intelligence API.

• IP Analysis

  Contains the top threats found on the IP address, as well as historical data for that address. This data comes from the ReversingLabs IP Threat Intelligence API.

Alongside network threat intelligence, users can also inspect previous ReversingLabs Cloud Sandbox dynamic analysis results, submit the network resource for (re)analysis, or interact with files related to the network resource.

These tabs are only visible for URLs, and only if the Spectra Intelligence integration is enabled. In case of a failed URL analysis, these will be the only visible tabs.