Skip to main content
Version: Spectra Analyze 9.2.2

Advanced Search

Introduction

The Advanced Search feature introduces rich metadata search capabilities on the ReversingLabs Spectra Analyze appliance, makes it easier to search across large data sets (both locally and in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage.

With 100+ keywords, 30+ anti-virus vendors, 130+ sample types and subtypes and 280+ tags, Advanced Search makes it possible to build more than 500 unique search queries using Boolean operators and keyword auto-completion.

Users can create targeted, multi-conditional queries and combine search criteria using logical operators to quickly identify potential threats.

The Advanced Search feature can be used to perform local searches without a Spectra Intelligence account. Using Advanced Search to retrieve Spectra Intelligence results is available to customers at additional cost. For more information, please contact ReversingLabs Sales Support (insidesales@reversinglabs.com).

Important notes about the Advanced Search feature

  1. Different search queries return results at different speeds - for some combinations of keywords and operators, it can take longer to load the results. To ensure quicker response times for long and complex queries, returned results may contain fewer samples than are available in the database; i.e., the service will only return the latest matches found within a reasonable timeframe.
important

To improve search query responsiveness and performance, Cloud results prioritize First Seen within the last month by default. However, this may result in zero results if users specify time ranges outside this time frame. In such cases, the results page provides links to expand the search results. If the query returns some results but there are more in the previous months, clicking the link next to the query summary under the drop-down menu filters broadens the search to encompass a wider time range. Alternatively, users can set the provided drop-down filters to the desired expanded time range.

  1. Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are: filecount, tag-user, submission-user, submission-time and processing-status. To perform Spectra Intelligence searches or search for extracted files, please remove any local keywords from the query.

  2. The maximum length of a single search query is 1024 characters. Queries longer than 1024 characters cannot be shared or added to Favorites. Attempting to submit queries longer than 1024 characters will result in an error. This does not apply to Bulk hash search queries.

  3. The maximum amount of Cloud results that can be returned for a search query is 100 000. Although there may be more samples matching the query in the Spectra Intelligence cloud, the Spectra Analyze will only allow browsing through 100 000 of them.

  4. Currently it is only possible to export a single page of search results. To export all results from the list, the user would have to browse pages one by one and manually export them. It is possible to adjust the amount of results displayed per page in the navigation bar, thus increasing or decreasing the number of results that will appear in the exported CSV file.

  5. The *Fetch & Analyze* option for Cloud results is currently limited to downloading 100 samples at a time, with a daily limit of 10 000 samples in total. Samples that already exist on Spectra Analyze will not be downloaded again. It is not possible to fetch and analyze all samples in the Cloud results list at once.

  6. Large volumes of data indexed for Advanced Search in the Spectra Intelligence cloud are constantly updated in order to return the most relevant information. During synchronization of various Spectra Intelligence services, searching for samples the cloud may return inconsistent or incorrect results in some cases. The data is updated multiple times per hour. This can cause discrepancies between the results offered on the Local and Public (Spectra Intelligence) results tabs.

How to Write Search Queries

Note

Local-only keywords will not work on the Cloud tab, as local-only keywords cannot be used to search for samples in the Spectra Intelligence cloud. Only actual file submissions will be returned as results. Local-only keywords are: filecount, tag-user, submission-user, submission-time and processing-status. To perform Spectra Intelligence searches or search for extracted files, please remove any local keywords from the query.

Local-only keywords, when added using the drop-down menus, will not be shown in the Advanced Search box as part of the query, but they will still be applied to the results, saved to the Recent queries list, and shared using the Share query button.

To create a search query, start typing into the Advanced search box. The pull-down list with all matching search keywords or their predefined values will open. The keywords are listed alphabetically.

Every search query must contain at least one keyword and one value. Search queries are built according to the following formula.

keyword:value OPERATOR keyword2:value OPERATOR keyword3:[value1,value2,...]

The values for a keyword can be typed in manually, or if the keyword supports it, selected from the pull-down list.

Selecting a keyword that supports predefined values (for example, classification, riskscore) displays all those values in the pull-down list.

Selecting a keyword that supports date and time ranges (such as lastseen or firstseen) displays the date picker. To add a custom range to the search box, select “Custom” in the date picker and click the Apply button.

Keywords have short usage examples in the pull-down list. For a detailed overview of supported keywords and their features, refer to the Supported Search Keywords section.

Some keywords have aliases - additional forms that can be used to search for the same values. Aliases are indicated in the Supported Search Keywords section in parentheses next to keyword names, and in the interface as illustrated in the screenshot below.

Pull-down list of search keywords with aliases highlighted

To run a search query, click the Search button in the search box, or press Enter.


The following is an example of a basic search query that returns all samples classified as suspicious:

classification:suspicious

What can and cannot be included in a search query depends on the values and operators supported by the keyword, as well as on the restricted words and characters.

The maximum length of a single search query that can be entered into the Advanced search box is 1024 characters.

Restricted Words and Characters

All restricted words and characters should be escaped with double quotation marks in the search query.

Example: a query contains one of the restricted characters [, ], (, ), :

pdb:"C:\Windows*"

Example: a query contains one of the restricted words (AND, OR, NOT)

cert-subject-name:"AND"

If the search query contains spaces, use double quotation marks around it.

cert-subject-org:"microsoft corporation"

Searching for Exact Matches

For more precise results, use quotation marks in search queries, especially when looking for a specific string.

The underscore character ( _ ) is treated as a delimiter. Phrases containing the underscore should be enclosed in quotation marks to get exact matches.

For example, searching for pe-function:"Py_Initialize" returns results that match the exact phrase, including the underscore character.

Searching for pe-function:Py_Initialize returns results that match either “Py” or “Initialize”, or both.

Using Wildcards for Partial Matching

Some search keywords support partial matching with wildcard symbols.

The * symbol matches any sequence of characters. The ? symbol matches any single character.

Example: this query returns all samples that have the string “emo” anywhere in their threat name (such as Wemosis, Remora, Temonde).

av-detection: *emo*

Example: this query returns all samples with the threat name “Emotet” and any other variant where the first letter T is replaced by any other character (such as Emonet, Emoret).

av-detection: emo?et

Searching for a Range and Greater/Less-Than Values

For keywords that support searching for a range of values, the formula looks like this.

keyword:[value1 TO value2]

size:[50000 TO 70000]

To search for greater/less-than values, create an open-ended range using the wildcard symbol *

keyword:[value TO *] - for greater-than values

keyword:[* TO value] - for less-than values

This example returns all samples that have a trust factor lower than and equal to 4.

trustfactor:[* TO 4]

Searching for a List of Values

To search for any of the values in a list, the following formula is used.

keyword:[value1, value2, value3]

The values must be comma-separated.

classification:[suspicious, unknown]

av-detection:[emotet,wannacry]

sha1:[91b21fffe934d856c43e35a388c78fccce7471ea,4e8c5b9fc9a6650f541fa0dbe456731309a429e4,
66720a660761e9b3b9b071ba4c16d6ab69c442bb]

Creating Multi-keyword Search Queries

Search operators and parentheses can be used to combine multiple keywords and create advanced search queries.

The following search operators are supported: AND, OR, NOT

If an operator is not provided, AND is used as the default. Operators are case-insensitive, so the following queries all return the same results.

firstseen:2018-01-01T00:00:00Z AND classification:malicious

firstseen:2018-01-01T00:00:00Z and classification:malicious

firstseen:2018-01-01T00:00:00Z classification:malicious

The NOT operator excludes search results that match the search criteria. In the following example, malicious and suspicious files will be excluded from the results:

av-detection:*linux* NOT classification:[malicious, suspicious]

The OR operator can be used to look for any of the values supported by a single keyword:

classification:suspicious OR classification: malicious

It can also be used to look for any of the different keywords and their values:

pdb:JigsawRansomware.pdb OR uri:"http://btc.blockr.io/api/v1/"

The OR operator cannot be used instead of a comma when searching for a list of values. The following example is not a valid query:

av-detection:[emotet OR wannacry]

Parentheses can be used to combine keywords. The following two queries show how to format the same request using square brackets versus parentheses:

firstseen:2018-01-01T00:00:00Z av-detection:[trojan,wannacry]

firstseen:2018-01-01T00:00:00Z (av-detection:trojan OR av-detection:wannacry)

Apart from using parentheses with the same keyword, they can be used to combine multiple different keywords, operators, and even a range:

firstseen:2018-01-01T00:00:00Z (av-detection:trojan AND type:binary NOT positives:[* TO 3])

Saving and Sharing Search Queries

There are several ways to save search queries on the Spectra Analyze appliance.

  1. Search queries can be saved as Favorites on the Spectra Analyze appliance itself. Run any query and click the star button right of the search box to save it. The query will be listed under Favorites in the Suggestions menu. It can be modified to include other search keywords and parameters, or removed from the appliance at any time. The maximum of 20 search queries can be saved in this way.

  2. Search queries can be saved using the built-in bookmarking functionality of the web browser. Run any query and bookmark the results page. In this case, any active filtering parameters (such as sorting and number of results per page) are also preserved in the bookmarked URL. A search query saved in this way will only work on the Spectra Analyze instance specified in the bookmarked URL.

Similarly, search queries can be shared in several ways:

  1. by using the Share query option on the Spectra Analyze appliance. Type in any query and click the Share button right of the search box. The Share Query dialog opens, where recipient email addresses have to be entered. Clicking the Share button in the dialog will send the selected query to provided email addresses. The email Subject field will contain the username of the Spectra Analyze user who shared the query.
  2. by copying the URL of the search results page from the address bar of the browser, and sending it manually via email or other communication channel. A search query shared in this way will only work if the recipient can log into the same Spectra Analyze instance from which the query was sent.
  3. by copying a favorite query to the clipboard (hover over the query in the Favorites list and select the Copy option from the triple-dot menu), then sharing it manually via email or other communication channel.

Non-keyword Queries

Advanced search queries can be quickly built without using keywords. Non-keyword search is available only for a particular subset of indicators of compromise:

  • SHA1, SHA256 and MD5 hashes
  • URLs
  • IP addresses
  • domains
  • emails

Non-keyword Search Queries

Non-keyword searches can be performed as standalone queries containing one or more non-keyword values, or be combined with traditional keyword searches. Email and IP (IPv4, IPv6) non-keyword queries support wildcard matching.

If a list of non-keyword search values contains invalid entries, search will respond with the message “Unrecognized nonkeyword argument” and return the first invalid non-keyword. In cases where the query contains only hashes, the response returns “Invalid value for hashes field”.

Using commas between non-keyword search values will result in an invalid query. Searching for strings containing commas and other special characters is supported by using quotation marks.

For example, IPV6 addresses or URLs containing colons, commas, or brackets must be enclosed in quotation marks:

"2001:0db8:85a3:0000:0000:8a2e:0370:7334"
"http://www.evildomain.com/gate.php?13,35869"

Single non-keyword search

This can be any one of the IOCs listed above.

Example: SHA1

0000038704cb5f0e1bd87d6a75e904529af0d6ac

Multiple non-keyword search

To combine multiple non-keyword search values, separate them by space. The whole query will be enclosed in brackets and the spaces will be interpreted as the operator OR. Other operators (AND/NOT) can be explicitly provided to build more complex queries.

Example: IPV4, IPV6 and domain

127.0.0.1 "2620:119:35::35" google.com

Example: Hashes only

0000038704cb5f0e1bd87d6a75e904529af0d6ac 2abcd3fb8b7761526d177ab007c40e74 4dea2daa9a41dd6c4cb172eb6d8d8a1d1811360e21c5fa0c8ce2e20fd6903041

Non-keyword with keyword

When combining non-keyword search values with keywords, consecutive non-keyword values will be enclosed in brackets and the spaces between them will be interpreted as the operator OR. Spaces between non-keyword search values and keywords will be interpreted using the operator AND, meaning that the order of keywords and non-keyword values in the query is important.

Example: Samples containing the provided URL that are classified as goodware

"https://hope-bd.com/googledocs.php" class:goodware

Combining queries with the NOT operator

The NOT operator excludes search results that match the defined criteria.

Example: Query using the operator NOT

NOT *@mockmail.com "https://hope-bd.com/googledocs.php" AND NOT 0000038704cb5f0e1bd87d6a75e904529af0d6ac class:MALICIOUS

Non-keyword Search Examples

Query TypeExampleSyntaxOutcome
Single non-keyword0000038704cb5f0e1bd87d6a75e904529af0d6acNKNK
Non-keyword search values combined with keywordshttps://hope-bd.com/googledocs.php” class:goodwareNK KNK AND K
Multiple non-keyword values (hashes only)0000038[…]af0d6ac 2abcd3[…]7c40e74 4dea2da[…]6903041NK NK NK NK(NK OR NK OR NK OR NK)
Multiple non-keyword values127.0.0.1 “2620:119:35::35” google.comNK NK NK NK(NK OR NK OR NK OR NK)
Multiple non-keyword values with an AND operatormock@mockmail.com 127.0.*.1 AND google.com “https://hope-bd.com/googledocs.php”NK NK AND NK NK(NK OR NK) AND (NK OR NK)
Multiple keywords combined with multiple non-keyword valuesclass:MALICIOUS mock@mockmail.com google.com firstseen:2018-04-05T21:11:47ZK NK NK KK AND (NK OR NK) AND K
Combining queries with the NOT operatorNOT *@mockmail.comhttps://hope-bd.com/googledocs.php” AND NOT 0000038[…]af0d6ac class:MALICIOUSNOT NK NK AND NOT NK AND K(NOT NK OR NK) AND NOT NK AND K

Note

The final, transformed queries will be returned in the Advanced search box and added to the Recent queries list. They can be saved as favorites by clicking the star button to the right of the search box.

Supported Search Keywords

Group keywords

When using group keywords, the provided search query will be used with all single keywords in the group's respective list. Refer to the single keyword descriptions for more information.

Keyword aliases are enclosed in parentheses.

certificateGroup keyword
Includescert-issuer-name cert-issuer-org cert-issuer-unit cert-subject-name cert-subject-org cert-subject-unit
ExamplesCase-insensitive wildcard matching is supported.
Wildcard: certificate:*micr*
certificate-countryGroup keyword
Includescert-issuer-country cert-subject-country
ExamplesCase-insensitive wildcard matching is supported.
List (any of the values): certificate-country:[HR, US]
documentGroup keyword
Includesdocument-author document-subject document-title document-description
ExamplesCase-insensitive wildcard matching is supported.
List (any of the values): document:[adobe, microsoft, *confidencial]
Wildcard: document:*soft
mutexGroup keyword
Includesmutex-config mutex-dynamic
ExamplesThe keyword is case-sensitive and doesn't accept wildcards.
Exact: mutex:111c
List (any of the values): mutex:[111c, 2124]
ipv4 (ip)Group keyword
Includesipv4-static ipv4-dynamic
ExamplesWildcard matching supported.
Wildcard: ipv4:192.*
List (any of the values): ipv4:[1.0.0.0,1.0.2.1]
ipv6Group keyword
Includesipv6-static (IPv6 address strings detected by ReversingLabs Dynamic Services)
ExamplesIf the address contains colons or brackets, enclose it in quotation marks.
Wildcard matching supported.
Wildcard: ipv6:c*
Exact: ipv6:"2002::/16"
List (any of the values): ipv6:["2001:db8*", "3731:54:"]
sectionGroup keyword
Includespe-section-name elf-section-name macho-section-name
ExamplesCase-insensitive wildcard matching is supported.
Wildcard: section:*data
List (Any of the values): section:[.ndata, bss]
segmentGroup keyword
Includesmacho-segment macho-segment-name elf-segment-sha1
ExamplesCase-insensitive wildcard matching is supported.
Wildcard: segment:page*
List (any of the values): segment:[pagezero, text]
softwareGroup keyword
Includessoftware-package software-description software-author
ExamplesThe keyword does not accept wildcards.
Exact: software:"James Newton-King"List (any of the values): software:[Microsoft, "This package consists of multiple activities that simplify the processes in Excel."]
uriGroup keyword
Includesuri-source uri-static uri-config uri-dynamic
ExamplesCase-insensitive wildcard matching is supported. (uri* keywords don't support IP addresses. For that, use ip* keywords.)
Wildcard: uri:mozilla.org*
List (any of the values): uri:[\*.tor,*.onion,*.exit]

Single keywords

actor
DescriptionSearch for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported.
ExamplesWildcard: cert-issuer-org:*authority
List (any of the values): cert-issuer-org:[verisign, microsoft]
android-app-name
DescriptionSearch for Android applications by their process name. Case-insensitive wildcard matching is supported.
ExamplesWildcard: android-app-name:*SkypeApplication*
List (any of the values): android-app-name:[MainApp, *alt.ywuajgf*]
android-features
DescriptionSearch for Android applications by their features. Case-insensitive wildcard matching is supported.
ExamplesWildcard: android-features:*hardware.camera*
List (any of the values): android-features:[camera, telephony]
android-import
DescriptionSearch for Android applications by one or more shared libraries that the applications are linked against. Case-insensitive wildcard matching is supported.
ExamplesWildcard: android-import:org.apache.http.legacy*
List (any of the values): android-import:[sec_fe?ture, *google*]
android-package
DescriptionSearch for Android applications by their package name. Case-insensitive wildcard matching is supported.
ExamplesWildcard: android-package:*com.picklieapps.player*
List (any of the values): android-package:[*ruckygames*, *skype.raider*]
android-permission
DescriptionSearch for Android applications by their permissions. Case-insensitive wildcard matching is supported.
ExamplesWildcard: android-permission:*WRITE_SETTINGS*
List (any of the values): android-permission:[*storage*, *disable_keyguard*]
appid-company-name (appid-author)
DescriptionSearch for applications and libraries by their publisher. Case-insensitive wildcard matching is supported.
ExamplesExact: appid-company-name:"Mozilla Foundation"
List (any of the values): appid-company-name:["Mozilla Foundation", "Microsoft Corporation"]
appid-description
DescriptionSearch for applications and libraries by their description. Case-insensitive wildcard matching is supported.
ExamplesWildcard: appid-description:"*Firefox Plugin Hang UI*"*
appid-product-name
DescriptionSearch for files with a matching product name. Case-insensitive wildcard matching is supported.
ExamplesExact: appid-product-name:"Mozilla Firefox Plugin Hang UI"
List (any of the values): appid-product-name:["Mozilla Firefox Plugin Hang UI", "Mozilla Firefox Helper"]
appid-product-type (appid-category)
DescriptionSearch for applications and libraries by their type. Case-insensitive wildcard matching is supported.
ExamplesExact: appid-product-type:browser
List (any of the values): appid-product-type:[browser, development]
attack-tactic
DescriptionSearch for files that use a specific Mitre ATT&CK tactic. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: attack-tactic:TA0007
List (any of the values): attack-tactic:[TA0007, TA0005]
attack-technique
DescriptionSearch for files that use a specific Mitre ATT&CK technique. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: attack-technique:T1222
List (any of the values): attack-technique:[T1222, T1112]
av-count (positives, p, antivirus)
DescriptionThe number of antivirus scanners that have detected a sample as malicious. Currently supports any integer from 0 to 46 (46 being the number of active AV scanners).
ExamplesExact: av-count:5
Range: positives:[10 TO 20]
Greater than 5: positives:[5 TO *]
List (any of the values): av-count:[5,3]
av-detection (engines)
DescriptionDetection string generated by the antivirus engines. Case-insensitive wildcard matching is supported.
ExamplesWildcard: av-detection:micro*
List (any of the values): av-detection:[W32.Duqu, *Vitro]
av-<name> (<name>)
DescriptionSearch for all samples or samples of specific malware detected by a selected antivirus vendor. Case-insensitive wildcard matching is supported.
ExamplesWildcard: av-[vendor]:*wannacry*
List (any of the values): [vendor]:[win32, emotet]
available (in, shareable)
DescriptionIndicates whether a sample is available for download from the cloud. The only supported values are true and false (case-insensitive).
Examplesavailable:TRUE
in: false
browser-package
DescriptionSearch for web browser extensions by their package name. Supported package formats: Chrome, Safari, Firefox. Case-insensitive wildcard matching is supported.
ExamplesWildcard: browser-package:*Click2Save*
List (any of the values): browser-package:[*priiceechOp*, *iCalc*]
cert-issuer-country
DescriptionSearch for files by the country code in the country name property field of the issuer of the certificate used to sign the file. Case-insensitive wildcard matching is supported.
ExamplesExact: cert-issuer-country: US
List (any of the values): cert-issuer-country:[Z?,G*]
cert-issuer-name
DescriptionSearch for files by the name of the certificate authority (CA). Case-insensitive wildcard matching is supported.
ExamplesExact: cert-issuer-name: COMODO
List (any of the values): cert-issuer-name:[microsoft,*VeriSign*]
cert-issuer-org
DescriptionSearch for files by the organization name of the certificate issuer. Case-insensitive wildcard matching is supported.
ExamplesWildcard: cert-issuer-org:*authority
List (any of the values): cert-issuer-org:[verisign, microsoft]
cert-issuer-unit
DescriptionSearch for files by the organizational unit name of the issuer unit of the certificate authority (CA). Case-insensitive wildcard matching is supported.
ExamplesWildcard: cert-issuer-unit:*root* List (any of the values): cert-issuer-unit:["trust network", *root*]
cert-serial
DescriptionSearch for a file by the serial number of the file certificate provided by the CA that issued the certificate. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: cert-serial:6101CF3E00000000000F
List (any of the values): cert-serial:[<value1>,<value2>]
cert-subject-country
DescriptionSearch for files by the country code in the country name property field of the subject to which the certificate has been issued. Case-insensitive wildcard matching is supported.
ExamplesExact: cert-subject-country:DE
List (any of the values): cert-subject-country:[US, B*]
cert-subject-name
DescriptionSearch for files by the name of the organization/system to which the certificate has been issued. Case-insensitive wildcard matching is supported.
ExamplesExact: cert-subject-name:Piriform
List (any of the values): cert-subject-name:[cinectic*, google]
cert-subject-org
DescriptionSearch for files by the organization name of the certificate authority organization (CA). Case-insensitive wildcard matching is supported.
ExamplesExact: cert-subject-org:apple
List (any of the values): cert-subject-org:[apple, Microsoft]
cert-subject-unit
DescriptionSearch for files by the organizational unit name inside the organization to which the certificate has been issued. Case-insensitive wildcard matching is supported.
ExamplesExact: cert-subject-unit:"Developer Relations"
List (any of the values):
cert-subject-unit:[Developer*, "Trust Network"]
cert-thumbprint
DescriptionSearch for files by their unique certificate thumbprint. A thumbprint of a file certificate is a hash value (SHA256). The keyword doesn't accept wildcards.
ExamplesExact: cert-thumbprint:277D42[...]2A17DD
List (any of the values): cert-thumbprint:[<value1>, <value2>]
classification (class)
DescriptionSearch for files by their Malware Presence status designation. Accepted values: malicious, known, suspicious, unknown (case-insensitive).
ExamplesExact: classification:malicious
List (any of the values): classification:[KNOWN, suspicious]
dex-class-name
DescriptionSearch for DEX files by the names of classes they contain. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dex-class-name:android.content.DialogInterface.On*
List (any of the values): dex-class-name:[android.content.DialogInterface.On*, android.support.v4.*]
dex-method-name
DescriptionSearch for DEX files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dex-method-name:unregisterCallB*
List (any of the values): dex-method-name:[getLocation, invok*]
document-author
DescriptionSearch for files by the contents of their document author metadata property. Case-insensitive wildcard matching is supported.
ExamplesList (any of the values): document-author:[adobe, microsoft]
Wildcard: document-author:*soft
document-description (doc-description)
DescriptionSearch for files by the document description field, as provided by the document author. Case-insensitive wildcard matching is supported.
ExamplesList (any of the values): document-description:["Carta personal", *confidencial]
Wildcard: document-description:*Math*
document-pages (doc-pages)
DescriptionSearch for files by their number of pages. In case of spreadsheet documents, this number represents the number of sheets. The keyword accepts only integer values.
ExamplesExact: document-pages:73
Range: document-pages:[4 TO 20]
More than 4: document-pages:[4 TO *]
document-subject
DescriptionSearch for files by the contents of their document subject metadata property. Case-insensitive wildcard matching is supported.
ExamplesWildcard: document-subject:*search
List (any of the values): document-subject:[free, download]
document-title
DescriptionSearch for files by the contents of their document title metadata property. Case-insensitive wildcard matching is supported.
ExamplesExact: document-title:"Powered by"
List (any of the values): document-title:[*free*, README]
document-version
DescriptionSearch for files by the contents of their document version metadata property. Wildcard matching is supported.
ExamplesWildcard: document-version:1.1*
List (any of the values): document-version:[1.7, 2.*]
domain
DescriptionSearch for files by any associated domain. Case-insensitive wildcard matching is supported.
ExamplesWildcard: domain:mozilla.org*
List (any of the values): domain:[*.tor,google.com,*.exit]
dotnet-assembly
DescriptionSearch for .NET files by assemblies they reference. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-assembly:*mscorlib*
List (any of the values): dotnet-assembly:[*iJnJWYUQA*, "NanoCore Client"]
dotnet-method-name
DescriptionSearch for .NET files by method names their classes call to perform an action. Method names are indexed regardless of their visibility, meaning both public and private methods are searchable. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-method-name:get_Url
List (any of the values): dotnet-method-name:[?oadCompl*, *HoldEnd]
dotnet-module-id
DescriptionSearch for .NET files by IDs of modules they contain. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-module-id:*20DEC3DA-523F*
List (any of the values): dotnet-module-id:[*9249F5D0-1821*, *E133ACC7-60C9*]
dotnet-module-name
DescriptionSearch for .NET files by names of modules they contain. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-module-name:*TeSt.exe*
List (any of the values): dotnet-module-name:[Posh.exe, adobe.exe]
dotnet-pinvoke-function
DescriptionSearch for .NET files by pinvoke functions. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-pinvoke-function:EncodePointer*
List (any of the values): dotnet-pinvoke-function:["EncodePointer", "DecodePointer"]
dotnet-pinvoke-import
DescriptionSearch for .NET files by pinvoke imports. Case-insensitive wildcard matching is supported.
ExamplesExact: dotnet-pinvoke-import:kernel32.dll
List (any of the values): dotnet-pinvoke-import:["kernel32.dll", "user32.dll"]
dotnet-resource
DescriptionSearch for .NET files by resources they contain. Case-insensitive wildcard matching is supported.
ExamplesExact: dotnet-resource:"Hidden Tear"
List (any of the values): dotnet-resource:[*Orcus*, *Clientloaderform*]
dotnet-type-name
DescriptionSearch for .NET files by type names found in them. Case-insensitive wildcard matching is supported.
ExamplesWildcard: dotnet-type-name:Form1*
List (any of the values): dotnet-type-name:[Form1*, NetscapeRevocationUrl]
elf-section-count
DescriptionSearch for ELF files by the amount of sections they contain. The keyword accepts only integer values.
ExamplesExact: elf-section-count:5
Range: elf-section-count:[5 TO 15]
More than 5: elf-section-count:[5 TO *]
elf-section-name
DescriptionSearch for ELF files by names of the sections they contain. Case-insensitive wildcard matching is supported.
ExamplesWildcard: elf-section-name:*data
List (any of the values): elf-section-name:[.rodata, .ndata, .bss]
elf-segment-sha1 (elf-segment-hash)
DescriptionSearch for files by the SHA1 hash of their ELF segment. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: elf-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc
email-from
DescriptionSearch for files by the sender of an email associated to a file. Includes "from", "reply-to" and "sender" fields. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-from:*@kiski.net
List (any of the values): email-from:[*@domain.com, *@orbitz.com]
email-static (email)
DescriptionSearch for files by associated email address(es) detected by Spectra Core. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-static:*@Compartir.es
List (any of the values): email-static:[*@gmail.com, *@hotmail.com]
email-subject
DescriptionSearch for files by the subject of an email associated to a file. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-subject:*HackTool
List (any of the values): email-subject:[Invitation*, *Nova*]
email-to
DescriptionSearch for files by the receiver of an email associated to a file, specified in the "to" field. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-to:*@netnook.com
List (any of the values): email-to:[*@dekalb.net, *@rogers.com]
email-x-key
DescriptionSearch for files with non-standard header fields, called X-extensions. Security vendors use X-extensions to annotate emails that have been scanned using their product. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-x-key:*MDRemoteIP
List (any of the values): email-x-key:[*Indiv, *Markup]
email-x-value
DescriptionSearch for files by values stored in non-standard (X-extension) header fields. Case-insensitive wildcard matching is supported. Case-insensitive wildcard matching is supported.
ExamplesWildcard: email-x-value:?HAILAND
List (any of the values): email-x-value:[Produced*, BHUTAN]
exif
DescriptionSearch for multimedia files by the contents of their EXIF metadata fields. Case-insensitive wildcard matching is supported.
ExamplesWildcard: exif:Picasa*
List (any of the values): exif:["Paint.NET v3.5.8", Picasa*]
exploit
DescriptionSearch for samples that are exploiting a specific vulnerability, identified either by ReversingLabs or by antivirus scanners.
ExamplesExamples Wildcard: exploit:cve-2024-**
List (any of the values): exploit:["CVE-2014-0114", "CVE-2018-15982"]
filecount
DescriptionSearch for a file by the number of unpacked files it contains (if it's a container). Accepts any integer number. Note: this keyword currently returns only Local samples as results.
ExamplesExact: filecount:25
Range: filecount:[3 TO 10]
More than 20: filecount:[20 TO *]
filename
DescriptionSearch for a file by its full or partial file name, predicted file name (generated by Spectra Core for samples without a file name), or file extension. Case-insensitive wildcard matching is supported.
ExamplesExact: filename:notepad.exe
List (any of the values): filename:[*.PDF, *.epub]
firstseen (fs)
DescriptionTime when a file was first analyzed by Spectra Intelligence. Supported time format is UTC timestamp.
ExamplesExact: fs:2018-04-03T12:58:27Z
Range (time period):
firstseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]
hashes
DescriptionAllows mixing different types of hashes in one search query, without the need to explicitly name the hash type or to group hashes by type. All hash types (MD5, SHA1, SHA256) can be used with this keyword. The maximum length of a single query is 1024 characters. The keyword is case-sensitive and doesn't support wildcards.
ExamplesExact: hashes: <sha1>
List (any of the values): hashes:[<sha1>, <sha1>, <md5>, <sha256>, <md5>]
imphash
DescriptionHash based on library/API names and their specific order within the executable. Used to find similar PE files. The keyword doesn't support wildcards.
ExamplesExact: imphash:f34d5f2d4577ed6d9ceec516c1f5a744
List (any of the values): imphash [<value1>, <value2>]
indicators
DescriptionSearch for files by their static analysis behaviors. The keyword is case-sensitive and doesn't accept wildcards. The full list of indicator IDs and their descriptions can be found here <https://fileshare.reversinglabs.com/index.php/s/qkGBJNpKzZZitiN>_.
ExamplesExact: indicators:"2150"
List (any of the values): indicators:["2150", "2102"]
ios-app-name
DescriptionSearch for iOS applications by their name. Case-insensitive wildcard matching is supported.
ExamplesWildcard: ios-app-name:FruitNinja*
List (any of the values): ios-app-name:[FruitNinja*, *facebook*]
ios-author
DescriptionSearch for iOS applications by their author name. Case-insensitive wildcard matching is supported.
ExamplesWildcard: ios-author:*halfbrick*
List (any of the values): ios-author:[*halfbrick*, Apple*]
ios-package
DescriptionSearch for iOS applications by their package name. Case-insensitive wildcard matching is supported.
ExamplesWildcard: ios-package:*FruitNinja*
List (any of the values): ios-package:[*FruitNinja*, *facebook*]
ipv4-dynamic
DescriptionSearch for files by IPv4 address strings detected by ReversingLabs Dynamic Services. Wildcard matching supported.
ExamplesWildcard: ipv4-dynamic:192.*
List (any of the values): ipv4-dynamic:[1.0.0.0,1.0.2.1]
ipv4-static
DescriptionSearch for files by IPv4 address strings detected by Spectra Core analysis. Wildcard matching supported.
ExamplesWildcard: ipv4-static:192.*
List (any of the values): ipv4-static:[1.0.0.0,1.0.2.1]
ipv6-static
DescriptionSearch for files by IPv6 address strings detected by Spectra Core analysis. If the address contains colons or brackets, enclose it in quotation marks. Wildcard matching supported.
ExamplesWildcard: ipv6-static:c*
Exact: ipv6-static:"2002::/16"
List (any of the values): ipv6-static:["2001:db8*", "3731:54:"]
lastanalysis (la)
DescriptionSearch for files by the date and time of their last AV scan. Supported time format is UTC timestamp.
ExamplesExact: lastanalysis:2018-05-17T11:27:19Z
Range (time period):
lastanalysis:[2018-05-17T11:27:19Z TO 2018-05-24T11:27:19Z]
lastseen (ls)
DescriptionTime when a file was last analyzed by Spectra Intelligence. Supported time format is UTC timestamp.
ExamplesExact: ls:2018-04-03T12:58:27Z
Range (time period):
lastseen:[2017-12-01T11:36:59Z TO 2018-03-06T11:36:59Z]
macho-import
DescriptionSearch for MachO files by the names of imported libraries found in them. Case-insensitive wildcard matching supported.
ExamplesWildcard: macho-import:*/usr/lib/*
List (any of the values): macho-import:[/usr/lib/libgcc_s.1.dylib, /usr/lib/libSystem.B.dylib]
macho-section-count
DescriptionSearch for MachO files by the number of sections they contain. The keyword accepts only integer values.
ExamplesExact: macho-section-count:10
Range: macho-section-count:[5 TO 15]
More than 5: macho-section-count:[5 TO *]
macho-section-name
DescriptionSearch for MachO files by the names of the sections they contain. Case-insensitive wildcard matching supported.
ExamplesExact: macho-section-name:data
List (any of the values): macho-section-name:[bss, common, data]
macho-segment (macho-segment-name)
DescriptionSearch for MachO files by their segment names. Case-insensitive wildcard matching supported.
ExamplesExact: macho-segment:pagezero
List (any of the values): macho-segment:[linkedit, pagezero, text]
macho-segment-count
DescriptionSearch for MachO files by the count of segments they contain. The keyword accepts only integer values.
ExamplesExact: macho-segment-count:30
Range: macho-segment-count:[2 TO 8]
More than: macho-segment-count:[11 TO *]
macho-segment-sha1 (macho-segment-hash)
DescriptionSearch for files by the SHA1 hash of their MachO segment. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: macho-segment-sha1:116e279b55b58e5b9619aac80a8e85bfa9c839fc
macho-symbol
DescriptionSearch for MachO files by their symbol names. Case-insensitive wildcard matching supported.
ExamplesWildcard: macho-symbol:f*
List (any of the values): macho-symbol:[exit, malloc, umask]
md5
DescriptionString of hexadecimal digits representing a MD5 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: md5:76baa04885ec40af25294a51d8e7c006
List (any of the values): md5:[<value1>, <value2>]
mutex-config
DescriptionSearch for files by their malware configuration mutexes detected by Spectra Core. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: mutex-config:")!VoqA.I4"
Exact: mutex-config:"--((Mutex))--"
List (any of the values): mutex-config:[111c, 2124]
mutex-dynamic
DescriptionSearch for files by malware configuration mutexes detected by ReversingLabs Dynamic Services. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesWildcard: mutex-dynamic:111c*
List (any of the values): mutex-dynamic:[111c, 2124]
pdb-path (pdb)
DescriptionSearch for files associated with specific PDB (program database) paths. Used to find files with the same PDB path created during file sample compilation. If the path contains restricted characters, enclose it in quotation marks.
ExamplesExact: pdb:"D:DevTin7InstallDir"
List (any of the values):
pdb:["C:Windows", "c:Program FilesPerforce"]
pe-company-name
DescriptionSearch for PE files by the contents of their company name field in the version information metadata. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-company-name:*enix
List (any of the values): pe-company-name:[microsoft, ADOBE]
pe-copyright
DescriptionSearch for PE files by the contents of their legal copyright field in version information metadata. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-copyright:Copyright*
List (any of the values): pe-copyright:[*Corporation, regsvr32]
pe-description
DescriptionSearch for PE files by the contents of their file description field in version information metadata. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-description:*proged
List (any of the values): pe-description:[DisplaySwitch, WizardFramework]
pe-export (exports)
DescriptionSearch for PE files by exported symbol names. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-export:MS*
List (any of the values): exports:[GetMemoSize, DeleteFile]
pe-function
DescriptionSearch for PE files by the name of the function that the PE file imports. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-function:RegEnum*
List (any of the values):
pe-function:[RegEnumKeyW, GetUserNameA]
pe-import (imports)
DescriptionSearch for PE files by the name of the dynamic link library that the PE file imports. Case-insensitive wildcard matching supported.
ExamplesExact: pe-import:URLMON.DLL
List (any of the values): imports:[win*, url*]
pe-language
DescriptionFind PE files by languages mentioned in the PE file resources. Case-insensitive wildcard matching supported. Appendix C - Available Languages for PE and Document Formats_
ExamplesExact: pe-language:russian
List (any of the values): pe-language:[eng*, Russian]
pe-original-name
DescriptionSearch for PE files by the contents of their file description field in version information metadata, and any other fields using the original name of the file. The keyword can be used to investigate how the file was named during compilation. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-original-name:crack*
List (any of the values): pe-original-name:[*install.exe, "sample doc.exe"]
pe-overlay-sha1 (pe-overlay-hash)
DescriptionFind PE files by the SHA1 hash calculated for their overlay part. Overlay hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: pe-overlay-sha1:4b4a2436b827d42b204b1f112b45d7a6d1b7ca52
List (any of the values): pe-overlay-sha1:[<value1>, <value2>, <value3>]
pe-product-name
DescriptionSearch for PE files by the contents of their product name field in version information metadata. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-product-name:*shop
List (any of the values):
pe-product-name:[Firefox, "Microsoft Word"]
pe-resource
DescriptionSearch for PE files by name or type of resources they contain. Case-insensitive wildcard matching supported.
ExamplesExact: pe-resource:Properties
List (any of the values): pe-resource:[Tcpview, Aboutbox]
pe-resource-sha1 (pe-resource-hash)
DescriptionFind PE files by the SHA1 hash calculated for their resources part. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: pe-resource-sha1:4260284ce14278c397aaf6f389c1609b0ab0ce51
List (any of the values): pe-resource-sha1:[<value1>, <value2>]
pe-section-count
DescriptionSearch for PE files by the count of sections they contain. The keyword accepts only integer values.
ExamplesExact: pe-section-count:15
Range: pe-section-count:[2 TO 10]
More than: pe-section-count:[5 TO *]
pe-section-name
DescriptionSearch for PE files by names of the sections they contain. The maximum section name length is 8 characters. Case-insensitive wildcard matching supported.
ExamplesWildcard: pe-section-name:*rdata
List (any of the values): pe-section-name:[.Rdata, .Ndata, *rsrc]
pe-section-sha1 (pe-section-hash)
DescriptionFind PE files by the SHA1 hash calculated for their section part. Section hashes are calculated by Spectra Core to better represent the true boundary of the file region. Users should use hash values calculated by ReversingLabs products with this keyword. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: pe-section-sha1:7640a007e39b487bf1dbbde6487724faa131f6a8
List (any of the values): pe-section-sha1:[<value1>, <value2>, <value3>]
pe-timestamp (pets)
DescriptionSearch for a PE file by the date when it was compiled. Supported time format is UTC timestamp.
ExamplesExact: pets:2017-06-26T00:00:00Z
Range (newer than): pets:[2018-03-06T10:57:29Z TO *]
sampletype (filetype, type, format)
DescriptionSearch for files by type as detected by Spectra Core. Case-insensitive wildcard matching supported. Appendix B - Supported Sample Types_
ExamplesExact: sampletype:Image/None
List (any of the values): type:[elf*,macho*]
sha1
DescriptionString of hexadecimal digits representing a SHA-1 hash of the file. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: sha1:f1a62a7092e49577206b7361bf1a7ff0776bb6a4
List (any of the values):sha1:[<value1>, <value2>]
sha256
DescriptionString of hexadecimal digits representing a SHA-256 hash of the file sample. Keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: sha256:f35a3(...)1d2d5
List (any of the values): sha256:[<value1>, <value2>]
signer-valid-from (cert-valid-from)
DescriptionSearch for files that have been signed by certificates valid from a specific time.
ExamplesRange (newer than): signer-valid-from:[2018-03-06T10:57:29Z TO *]
signer-valid-to (cert-valid-to)
DescriptionSearch for files that have been signed by certificates valid to a specific time.
ExamplesRange (newer than): signer-valid-to:[2018-03-06T10:57:29Z TO *]
similar-to
DescriptionSearch for files that are functionally similar to the requested file hash. Functionally similar files are defined by RHA (ReversingLabs Hashing Algorithm) that identifies code similarity between unknown samples and previously seen malware samples. All hash types (MD5, SHA1, SHA256) can be used with this keyword. Only one similar-to keyword can be used in a single query. The keyword is case-sensitive and doesn't support wildcards.
ExamplesExact: similar-to: <sha1>
size
DescriptionSearch for files by size (in bytes). Accepts integers up to 2147483647.
ExamplesExact: size:30000
Range: size:[1000 TO 50000]
Greater than: size:[500000 TO *]
software-author
DescriptionSearch for software packages by their author/publisher.
ExamplesExact: software-author:"James Newton-King"
List (any of the values): software-author:["Amazon Web Services", Microsoft]
software-description
DescriptionSearch for software packages by their description.
ExamplesExact: software-description:"This package consists of multiple activities that simplify the processes in Excel."
software-package
DescriptionSearch for specific software packages. The keyword is case-sensitive and doesn't accept wildcards.
ExamplesExact: software-package:tidal
List (any of the values): software-package:[tidal, "AWSSDK.WorkLink"]
submissions
DescriptionSearch for files by the amount of times they have been submitted for analysis. The keyword accepts only integer values.
ExamplesExact: submissions:3
Greater than: submissions:[3 TO *]
Less than: submissions:[* TO 4]
tag
DescriptionSearch for files by metadata tags generated by Spectra Core. Tags identify interesting properties of a sample, such as being packed, password-protected, or digitally signed. Appendix E - Supported Tags_
ExamplesExact: tag:packed
List (any of the values): tag:[capability-execution, cert, crypto]
tag-yara
DescriptionYARA supports adding custom tags to rules. Files that match those rules get automatically tagged after analysis. This keyword looks for files tagged by YARA rules, including those that were classified by YARA tags ("malicious" and "suspicious"). Case-insensitive wildcard matching is supported. Note that changes to YARA tags are not immediately reflected in search results. For example, if a tag is removed from a YARA rule, it will still return search results until files that match the rule are reanalyzed with Spectra Core.
ExamplesExact: tag-yara:malicious
List (any of the values): tag-yara:[malicious, suspicious]
taggant-name
DescriptionSearch for PE files by name of the packer that was used to pack them. Taggant is a technology that guarantees the packed file came from a reliable source. Case-insensitive wildcard matching supported.
ExamplesExact: taggant-name:themida
List (any of the values): taggant-name:[enigma*, vmprotect*]
taggant-valid-from
DescriptionSearch for files by the time it was signed using taggant.
ExamplesRange (newer than): taggant-valid-from:[2018-03-06T10:57:29Z TO *]
taggant-valid-to
DescriptionSearch for files by the expiry time provided by taggant.
ExamplesRange (newer than): taggant-valid-to:[2018-03-06T10:57:29Z TO *]
third-party-library
DescriptionSearch for PE files by the name(s) of third-party libraries they contain. Case-insensitive wildcard matching is supported.
ExamplesExact: third-party-library:Microsoft.WindowsAPICodePack-Core
List (any of the values): third-party-library:[*oak-json*, Microsoft.Web.WebJobs*]
third-party-publisher
DescriptionSearch for PE files by publishers of the third-party libraries found in the files. Case-insensitive wildcard matching is supported.
ExamplesWildcard: third-party-publisher:Microsoft*
List (any of the values): third-party-publisher:[Microsoft*, "Xamarin Inc."]
threatlevel
DescriptionSearch for files by ReversingLabs scale of threat severity. Higher number indicates higher severity. Accepted values are 0-5.
ExamplesExact: threatlevel:3
Greater than: threatlevel:[2 TO *]
Range: threatlevel:[0 TO 3]
List (any of the values): threatlevel:[2, 3]
threatname
DescriptionSearch for files by malware threat name according to Appendix A - ReversingLabs Malware Naming Standard_. Case-insensitive wildcard matching supported.
ExamplesExact: threatname:Win32.PUA.Casonline
List (any of the values):
threatname:["WIN32.PUA.casino eldorado", *crytex]
trustfactor
DescriptionSearch for files by the ReversingLabs trust factor. Trust factor indicates the trustworthiness of files. Lower number means higher trust. Accepted values are 0-5.
ExamplesExact: trustfactor:1
List (any of the values): trustfactor:[4, 5]
Range: trustfactor:[1 TO 3]
Greater than: trustfactor:[3 TO *]
uri-config (c2)
DescriptionMalware configuration C&C (Command & Control), extracted by Spectra Core. C&C infrastructure is used to control malware, particularly botnets. Case-insensitive wildcard matching is supported.
ExamplesWildcard: c2:*dns*
List (any of the values): uri-config:[dydns.org, hldns.ru]
uri-dynamic
DescriptionSearch for files by URI strings (URLs, domains) detected by ReversingLabs Dynamic Services. Case-insensitive wildcard matching is supported.
ExamplesWildcard: uri-dynamic:mozilla.org*
List (any of the values): uri-dynamic:[*.tor,*.onion,*.exit]
uri-source (itw)
DescriptionSearch for files by the URI source from which they were downloaded. Case-insensitive wildcard matching is supported.
ExamplesWildcard: uri-source:*warez*
List (any of the values): itw:[softonic.com, *cnet.com]
uri-static
DescriptionSearch for files by URI strings (URLs, domains) detected by Spectra Core. Case-insensitive wildcard matching is supported.
ExamplesWildcard: uri-static:mozilla.org*
List (any of the values): uri-static:[*.tor,*.onion,*.exit]
vertical
DescriptionSearch for files by the type of vertical feed in which they were found. Case-insensitive wildcard matching is supported.
ExamplesExact: vertical:ransomware
List (any of the values): vertical:[ransomware,apt,financial]

Supported File Types and Subtypes

AudioMZPE+
BinaryMachO32 BigPE16
DEXMachO32 LittlePE32
DocumentMachO64 BigPE32+
ELF32 BigMachO64 LittleText
ELF32 LittleMedia ContainerUnknown
ELF64 BigNoneVideo
ELF64 LittlePEImage
Audio/ArchiveImage/RASText/Batch
Audio/HTMLImage/TIFFText/CCPP
Audio/NoneImage/XCFText/CMake
Audio/UnknownMedia_Container/NoneText/CSS
Binary/ArchiveMZ/DOSText/CSharp
Binary/NoneMachO32 Big/BundleText/Clojure
Binary/UnknownMachO32 Big/ExeText/CoffeeScript
Binary/.NetMachO32 Big/NoneText/Common Lisp
Binary/.NetMachO32 Big/SOText/D
Binary/.NetMachO32 Little/BundleText/Dart
Binary/ExecutableMachO32 Little/CoreText/Eiffel
Binary/HTMLMachO32 Little/ExeText/Emacs Lisp
Binary/RelocatableMachO32 Little/NoneText/Erlang
Binary/SOMachO32 Little/SOText/FORTRAN
Binary/VXDMachO64 Big/BundleText/FSharp
DEX/ExeMachO64 Big/ExeText/Factor
Document/ArchiveMachO64 Big/NoneText/Go
Document/HTMLMachO64 Big/SOText/Groovy
Document/NoneMachO64 Little/BundleText/HTML
Document/UnknownMachO64 Little/CoreText/Haskell
ELF32 Big/CoreMachO64 Little/ExeText/Java
ELF32 Big/ExeMachO64 Little/NoneText/JavaScript
ELF32 Big/NoneMachO64 Little/SOText/LLVM
ELF32 Big/RelocatableMedia Container/DOSText/Lua
ELF32 Big/SOMedia Container/DllText/Makefile
ELF32 Little/CoreMedia Container/ExeText/Matlab
ELF32 Little/ExeMedia Container/NoneText/Nix
ELF32 Little/NoneMedia Container/UnknownText/None
ELF32 Little/RelocatableNone/NoneText/OCaml
ELF32 Little/SONone/DLLText/Objective-C
ELF64 Big/CoreNone/DOSText/PHP
ELF64 Big/ExeNone/ExeText/Pascal
ELF64 Big/NoneNone/HTMLText/Perl
ELF64 Big/RelocatableNone/RelocatableText/Perl6
ELF64 Big/SONone/SOText/PowerShell
ELF64 Little/CoreNone/VXDText/Python
ELF64 Little/ExePE+/.Net DllText/R
ELF64 Little/NonePE+/.Net ExeText/Ruby
ELF64 Little/RelocatablePE+/DllText/Scala
ELF64 Little/SOPE+/ExeText/Scheme
Image/ArchivePE/.Net DllText/Shell
Image/DllPE/.Net ExeText/Smalltalk
Image/ExePE/DllText/Smarty
Image/NonePE/ExeText/Swift
Image/UnknownPE/VXDText/Tcl
Image/BMPPE16/DllText/TeX
Image/DCMPE16/ExeText/TypeScript
Image/GIFPE32+/DLLText/Unknown
Image/JNGPE32+/ExecutableText/VBA
Image/JPEGPE32/DLLText/VHDL
Image/MNGPE32/ExecutableText/Verilog
Image/PBMPE32/VXDText/VimL
Image/PCTText/Acrobat JavaScriptText/Visual Basic
Image/PGMText/ActionScriptUnknown/Unknown
Image/PNGText/AdaVideo/Archive
Image/PPMText/ArchiveVideo/None
Image/PSDText/AssemblyVideo/Unknown
AbletonAMXDAbyssAHXAceAM
ActionamicsASTAdlibA2BAdlibA2F
AdLibA2MAdlibA2PAdlibA2T
AdLibBAMAdLibBNKAdvancedInputAIR
AEROAkaiAudioAKPAMComposerAMC
AmigaStudioSOUNDAMRWBAmusicADM
AmusicXMSANMAREDAMUAppleCAF
AProSysAPSAtariAVRAtariDVSM
AtariSC68AtariSNDHAtariYM
AUAudibleAAXAudioBCSTM
AudioBFSTMAudioBONKAudioDXM
AudioIDSPAudioKRAWAudioLA
AudioMLDAudioSculptureADSCAuditionABM
AuroraBMUAVMAPEXAYAmadeusAMAD
AYSTRCAZXBarsAndPipesGCHONE
BarsAndPipesGCHORDBarsAndPipesSONGBeathovenSynthesizerBSS
BeaverSweeperGTKBeepolaBBSONGBenDaglishBDS
BeniTrackerPISBeRoTrackerBRTBISWSS
BlackAndWhiteSADBleeperBMMBoomTrackerCFF
CapcomQSOUNDCBACDDA
ChipSoundAYChiptuneMTCChiptunePSG
ChiptuneTFCCompactCPTCoreDesignCORE
CreativeLabsCMFCreativeLabsSBICreativeLabsVOC
CreativeMusicORGCreativeNVFCreativeSC4
CreativeVOCCricketCKBCryoAPC
CubicTinyMXMCybertrackerC64CTCyberTrackerCI
DaveLoweDLDavidHanneyDHDavidWhittakerDW
DeFyDTMDelitrackerCustomCUSDeltaMusic2DM2
DeltaMusicDLMDeluxeINSTRDFMAudio
DiamondWareDWDDIGIBoosterDigiBoosterXPK
DigitalMugicianDMUDigitalSoundDSMDigitalSpeechDSS
DigitrakkerISTDigitrakkerMDLDigitrakkerSLP
DigitrekkerDTMDisorderTrackerPLMDLS
DolbyMLPDreamstationDSSDrumTrakerDTL
DSDAudioDSMIAMFDVF
DynamicSynthesizerDNSEarAcheEAEdiusEWC2
EdLibD00ElecbyteSNDElectronicMusicSystemEMS
EmuEmaxsynthEZ2EmuEmulatorEZ3EncoreENC
EnsoniqECWEveryonePianoEOPEveryonePianoEOPM
ExoticXADExtraSimpleXSMExtremeTrackerAMS
FaceTheMusicFTMFamiTrackerFTMFarandoleComposerFAR
FarandoleF2RFarandoleFPTFarandoleFSM
FashionTrackerEXFastTrackerXMFaustMusicSNG
FCMPackerFCMFineArtistSNDFLAC
FLStudioDMPTRNFLStudioGMSYNTHFLStudioKIK
FMFMTFMODFSBForgottenWorldsFW
FruityloopsFLPFuchsTrackerFUCHSFunComISS
FunkTrackerFNKFutureComposerSMODFuturePlayerFP
FutureVisionCMPFuxoftFXMGameboyGBR
GameboyGBSGenericHeaderGENHGlueMonGLUE
GoatTrackerSNGGoatTrackerSNGGraoumfGTK
HalionFXBHCOMHeadspace
HippelHIPCHippelSOGHivelyTrackerHVL
HowieDaviesHDHudsonHESHumanMachineHMP
ImagoIMFIMPlayISSImpulseTrackerIT
IMYInfinityACMInfinityWAVC
InStereoISInStereoIS20IvonaDAT
IxalanceIXSJamCrackerJAMKandinskyKMP
KaraBoxMKFKatorzerKATKawaiSDF
KexisKXSKingtrackerFMKKlystrackKI
KlystrackKTKonamiKSSKorgKSF
KorgSNGLaytonMODSLegglessLME
LiquidLDSLiquidLIQLiquidLQT
LiveForSpeedENGLiveForSpeedRADMacromediaSWA
MadTrackerMT2MagneticSNDMarkIIMII
MarkIIMK2MASIMUSMasterTrackerMTR
MaxonMAGICHSNMaxTraxMXTXMCMD
MDCMegastationMSMegatrackerMGT
MeridianOPLMIDIMidiMazeMZE
MikModUNIMiniVMINIBANKMIOCompressorMIO
mkwACTMKWMlatMADMMF
MMFWSNDMod2PSG2PSGMODMonkeyAPE
MonotoneMONMoonBlasterMWMoonDriverMDR
MP (MP1/MP2/MP3)MPU401MTKMSVTrackerINS
MSXMIOMSXProtrackerPROMsxSBK
MsxSBMMsxSBPMsxSBS
MT32MultakMUKMultiTrackerMTM
MUSFileMusicEditorMEDMusiclineML
MusicMakerIPMusicMakerMM8MusXMUSX
MVSTrackerMUSMVXModuleMVMNerdTrackerNED
NESTrackerNESTNintendoBFSARNintendoChiptuneNSFE
NintendoDS2SFLIBNintendoNSFNistSPH
NoiseTrekkerNTKNokiaXMFNoteSOP
NovastormMediaFileNovoTradeNTPNTRQSAV
ObisynthOSPOctaMEDMMDOGG
OggOpusOktalyzerOKTAOnyxTrackerOMF
OokTrackerTOASTOptimFROGOFROrganyaORG
OrionSamplerOSPPalladixPLXPCMSOX
PhilipsDRMPistonCollagePTCOPPistonCollagePTTUNE
PlayerProMADPlaystationPSFPlaystationVAB
PlaystationVAGPMDPolytrackerPTM
PowerTrackerPTProlinePVDPropellerheadRBS
PropellerheadRNSPropellerheadRPSPropellerheadRX2
ProrunnerPRU2ProtrackerMODProTrackerPSM
ProtrackerPT3ProtrackerPT36ProtrackerStudioPS16
ProTrekkr2PTKPsionWVEPSModulePSM
PsyclePSYPuavoHardPHPIMCPuavoHardPHPIMCI
QuadraComposerEMODQualcommQCPQuartet4Q
RARamTrackerTRKRealityAdLibTrackerRAD
RealTimeEFFRealTimeMIDRealTrackerRTM
ReasonSongRenoiseTrackerRNSRMID
RMP3RolandSVDSACDTOC
SamplevisionSMPSatcoSDXSBStudioPAC
ScreamTrackerS3MScreamTrackerSTMScrullSMF
SegaADXSegaGYMSegaSGC
SegaVGMSequencerONESFK
ShakeTrackerSTShroomSHOSID
SkaleTrackerSKMSlightAtariSAPSndToolSNDT
SnesSPCSongHMISonicArrangerInstrument
SonicArrangerSASonyOMASonySoundForgeSFI
SoundBlasterIBKSoundClubSN2SoundFXTrackerSFX
SoundtrackerST26SpchCompSPCSpeechLabNSP
SpeechLabSDSpidermanWBKSquareCSW
SquareEnixSCDSquirrelSQMStar3ST3
StarkosSKSStartrekkerNTSuntronicSUN
SunVoxSUNSYNTHSunvoxSUNVOXSuperJAMBAND
SuperJAMCHORDSSuperJAMDRUMMAPSuperJAMINSTRUMENT
SuperJAMKEYBOARDSuperJAMPATCHSuperJAMSONG
SurpriseAdLibSATSymbOSSKMSymphonieSYMMOD
SynderPlayerSNGSynthesisSYNSynTrackerSYNMOD
TaijinTJNTCBTrackerTCBTechnoSoundTRACK
TFMMusicMaker2TFEThePlayerPTHXTrackerINS
TrackerAONTrackerASTTrackerEMOD
TrackerGDMTrackerpackerTP3TrackJOY
TRSiTSSAudioTTA
TurtleBeachPBFTwinVQVQFTwZTSM
UltratrackerULTVectordeanINSVectordeanRJP
VelvetStudioAMSVentriloVRFVGMMusicMakerVGE
VirtualDJVDJVivaldiBINVortexVT2
VSamplerVSBWAVWaveZIPMCP
WavPackWVWeChatAUDWiiBRSAR
WiiBRSTMWiiRSEQXACTXSB
XACTXWBXTrackerDMFYamahaS1M
YamahaS1VYamahaTXWYamahaVIC
YamahaW9EYMSTAudioZTrackerZT
ZyxelZYX
3DConstruction3AD3DConstruction3BD3DConstruction3FD
3DConstruction3OD3DConstruction3SD3DConstructionKWD
3DConstructionOBJ3DConstructionRUN3Demon3DEMON
3DXplorMathSURFABBYYAMDAbilityXDB
AbracadataAIGAC3DGeometryACACCAReaderAR
AccelMACAccelPCBAccelSCH
ACTDocumentWPAAdobeAFMAdobeASE
AdobeCFFAdobeDimensionsDIMAdobeFDF
AdobeFMAdobeJXSBINAdobeLST
AdobeMIFAdobePDXAdobePFA
AdobePFBAdobePFMAdorageSCP
ADUAegisPSETAegisSET
AffixAFFAIBBLOGAllenQuestQRM
AltiumLDPAmateurADIAmigaguideINDEX
AmigaKontoPREFSAMOSSRCAncestralPAF
AntennaADFAOPApabiXEB
ApplauseBApplauseHLPApplauseINI
ApplauseWAppleNewtonPKGApricotKB
ArcExplorerAEPArcgisE00ArcgisPRJ
ArenaABKArtemisAPRAshampooASHPRJ
AskEnvREQASpellRWSAtariHYP
AthenaATHAtherosPRFAutexEXP
AutoCADSTLAutodeskFASAutoPromptPMT
AutoshadeRNDAvanquestPVNAVGControlCTF
AVGSTBAvidemuxIDX2AvsFLD
AWMAxialisSSPAzzcardfileTMP
BackItCFGBagpipeBWWBBeBLRF
BeepFXSPJBelltechSBPFBeyondDOC
BiewXLTBioHMMERBioRad1SC
BiosymCARBiosymDMOLBlackWidowWEB
BluRayBDMBlurayMPLSBMFontFNT
BookIMPBoomBoxBOXBoostTXT
BrainBoxBBXBrainVisionVHDRBrainVisionVMRK
BSWriterBSWCabri3DCGLCabri3DMAC
CAD6MKDCadsPlannerDRWCAJViewerKDH
CakewalkMACCakewalkOVECalamusATT
CalamusCCTCalamusCDKCalamusCDV
CalamusCRICalamusCRLCalculuxAreaCAR
CalculuxIndoorCINCalculuxRoadCROCarraraCAR
CarraraCBRCascadeBRPCCDOPSSBIG
CebraTeletextTTXCelestiaTXFCentralPointHLP
CFASTINCHAOSultdGEMCHSChemDrawCTR
ChemicalC3DChemicalCMLChemicalCTAB
ChemicalISTRChemicalRDFChemicalVAMAS
CICALCCICCineMorphPROJECTCirCAD
Citect001CloneCDCCDCLUSTALWALN
CMNPhonebookPHBCocoFlowsheetFSDColoFontMakerCFM
ComicLifeCOMICDOCCompaqCVACompleteGenomicsTSV
ConceptDrawCDDCoolPageCPGCorelCSW
CorelFINCPBackupCFGCreateaQuizQZ
CrimsonSRCCrystallographicCIFCWK
CWorthyCWACytometryICSDALayoutDIP
DartDesktopDSKDatabaseProDBDatabenchMSK
DeclanXWFDeepBurnerDBRDeledDMF
DelphiDDPDeltacadDCDemoManiacSCRIPT
DescribeDOCDesktopGuitaristDTGDexDriveGME
DGindexD2VDigiMemoDHWDISGCLGCL
DisneyXPODJVUDocumentYAML
DogwaffleOPTDraftChoiceDCWDRCRulesExportRUL
DrWebLSTDuxburyDXBDuxburyDXP
DVDAuthorGUIDVADynaDocWDLEagleEPF
EagleUSREarthResourceERSEaseCalcformCAL
EasyCADECWEasyCADFCDEasyPlotEP
EasyPrintFD2EclipseNOTEDGEDiagrammerEDG
EEDrawEEDEEDrawLIBElasticER
ElectronicEBXEmEditorESYEnableOfficeSuite
EncryptedBibleIDXEndNoteENFEndNoteENZ
EnergyPlusEPWEnoteBWSEntrustEPF
EnVisionEVPEnvoyEVYEphemerisE
ErdasRAWEurekaLogELFExpressCalcCAL
ExpresswarePDFEZSynthesizerSETEZTEXTBIN
FacetFACETFanucMEMFarallonRPL
FastCADFCDFastcadFCWFastFindFFL
FFMPEGFramehashFiascoFCOFIDAPFDNEUT
FidocadFCDFidocadFCLFidocadFCM
FIGfontFLCFIGfontFLFFinalCalcSHEET
FinaleETFFinaleMusicMUSFirstChoiceSS
FlatpakREFFlowFCSFLStudioTKP
FontSpeedoFoobar2000FPLFormulaFRM
FreeHideFolderFHFFullTiltDATFurcadiaDS
FusionDDSGambitEFGGambitNEU
GambitNFGGasteigerCTXGaussianCUBE
GdalVRTGeDRWGenepixATF
GenstatGWBGeometerGSPGhostscriptUPP
GimpGFIGGimpGGRGimpGPL
GMSHMSHGNURECGoBeProductivePVE
GObjectTYPELIBGoCadGOCADGoldenSoftwareGRD
GoodWayGWPGpstunerGMIGraalOnlineNW
GraphicWorksDVGGraphingCalcGCFGraphtecGDS
GravisFBDGreatValleyMAP2VIDEOGSColorMapCLR
GUEmapGMPGuitarProGPHamicHMC
HangulHWPHaptekHAPHardDisk000
HarmonyCSVHarvardCHTHarvardGraphics
HarvardSH3HarvardSHWHausDesignWDS
HclabHCGHealthLevelHL7HelpMagicianHLX
HelpMagicianHMPHelpScribbleHSCHeroQuestQST
HexelsXMLHL7BEDGRAPHHL7BIGBED
HL7BIGWIGHL7BROADPEAKHL7GAF
HL7GFFHL7GPADHL7GPI
HL7GTFHL7NARROWPEAKHL7TDF
HL7VCFHL7VCF4HLGuardZCFG
HLPHNSkyASTHNSkyCMT
HNSkyHNDHomeAccountsHA2HoudiniHIPNC
HTAHxCCFGHxCFPF
HydrocadHCPHyperchemHINIAGE
IBMLWPIBMSoftcopyBKIIBMSoftcopyBKS
IBMSoftcopyBOOIBMWritingDOCICEReaderIBK
idMASCFGIEEESDFIesnaIES
IgorProIGTXiMovieIMOVIEPROJIMSMusicLST
IncredimailIMBINDDIndex3by5MAP
IndianMusicOnlineMIAInfoMagicIMRInformativeCSF
InnoDATInnovMetricPOLInpageINP
InputGMVInterfileInternetShortcut
InterTalkPHONEIQYIsisDSN
IsogenPCFITSFileITSJacksumJACKSUM
JapaneseJWPJasspaEMFJavaJAD
JBuilderPMEJCreatorJCPJwCadJWC
KaraokeKSLKChessKCHKDMDESKTOP
KDPlayerKDSKiCadBRDKiCadDCM
KiCadLIBKiCadMODKiCadPHO
KiCadSCHKindleTopazAZW1KlasikRES
KlasikTABKlasikTTBKlasikTXK
KSpreadsheetSPDLabviewLVMLegatoLSS
LextekLIDLightWaveENVLightWaveLWS
LightWaveMOTLimboSBLLipsyncGPO
ListGeoLGOLogistixMSGLotus123
LotusHLPLotusLWPLotusManuscriptDOC
LotusPRELotusSTFLotusWK1
LotusWK3LotusWK45LotusWKS
MacromediaJSFLMagicDrawMDRMagicqSHW
MathCADMCFMathematicaNBMathML
MatrixMTXMaxiDeskBOOKMaxonWordDOK
MechwarriorFITMediaforgeXMFGMediaPlayerMPCPL
MerrianWebsterPDBMesaM2MessengerPlusPLD
MetasequoiaMQOMicroarrayPCLMicroImagesGPS
MicrosoftBLKeyMicrosoftExcelMicrosoftIDENTIFIER
MicrosoftMathGCWMicrosoftPowerPointMicrosoftPublisher
MicrosoftREGMicrosoftTASKMicrosoftWord
MicrostationMATMicrostationPALMidasMCB
MightyDrawMIGMikroTikRIFMinimigCFG
MinitabMTPMinitabMTWMNITransformXFM
MoldenOGLMopFileMOPMosaicHOT
MotionBVHMotorolaSKIMovieMagicMMSW
MovieSetterPRODMoxcelMXLMozartMZ
MozartMZPMSCNastranWM3MSeBookReaderLIT
MSFlightCFGMSOneNoteONEMSQuickBasic
MSRemoteDesktopRDPMSXHomeCCWMUIBuilderMUIB
MultiBitINFOMultiBitKEYMusicNotationABC
MutationMAFNasaLBLNascarSCN
NativeInstrumentsNBKTNatronNPSNaviterCUB
NearlyRawNRRDNecromancerDLGNeoBookPUB
NeoPaintPALNetCDFCDLNetfabbFABBPROJECT
NetwareMSGNeuratronOPTNeutralFNF
NextSTARTWSTNexusNEXNHTSAUDS
NimbleGenNDFNimbleGenNGDNJStarNJX
NonoPocketNGBNortonNCDNovellNAB
NTFMapFileNTFNucleotideEMBNUTSMAC
OCPlayCFGOlitextNTPOlitextOTX
OmniPageONTXOpenColorIOOCIO
OpenDocumentChartOpenDocumentDatabaseOpenDocumentFormula
OpenDocumentGraphicsOpenDocumentImageOpenDocumentMaster
OpenDocumentPresentationOpenDocumentSpreadsheetOpenDocumentText
OpenDocumentWebPageopenEHRADLOpenOfficeDatabase
OpenOfficeFormulaOpenOfficeGraphicsOpenOfficeHTML
OpenOfficeMasterOpenOfficePresentationOpenOfficeSpreadsheet
OpenOfficeTextOpenZIMOperaADR
OpticalVMDOPVaultFormatOracleTRM
orCADOPJOrenZGTOS2HLP
OsuScriptOSUOutlookEmbeddedMSGOvationDPD
OziExplorerEVTOziExplorerMAPOziExplorerPLT
OziExplorerPNTOziExplorerRTEOziExplorerWPT
PageFocusDVEPageStreamPGSPaintShopProPAL
PalmSGDATPanoramaDEMSETPanoramaSET
PaperPortFSSPaperPortMAXParacadDRG
PascalTPHPascalUPCTypeMAC
PDFPeachCalcCALPeakInformationFile
PerformFPKPersonalFontDEFPersonalFontMCR
PFSWriteDOCPGPASCPGPPrivKey
PGPPubKeyPGPSIGPhotodexPSH
PhotomergePMGPhotoparade4PPPhredPHD
PhysicsEditorPESPingPlotterPPXPiXCLPAL
PixelformersPFCOLORSPlatinenBIBPlatinenMAC
PlatinenPLAPMDrawPMDPocketTanksBBK
PocketTanksEMIPolyfilmPRFPortableBridgePBN
PostscriptPPDPowerBasicPBPowerBASICPBH
PowerTabletTEMPLATEPowerTranslatorMTPPowerWindowsPW
PremierePTLPressWorksDTPPrimaveraXER
ProcessMonitorPMLProEngineerASMProEngineerDRW
ProEngineerFRMProEngineerPRTProEngineerSEC
ProfiCADPPDPropellerheadREMOTEMAPProSpacePSA
ProtextCFGPsionAGNPsionSPR
PsionTCRPsionWRDpsitreeCONF
PTCCreoMTLPtcEngineerPRTPTCIGES
PufferAPUFPwrDevVDQandADOC
QlikViewQVWQuarkExpressQuarkImmediaIMD
QuartusCSFQuartusDBINFOQuartusFSF
QuartusJCFQuartusQWSQuartusSSF
QubicleQEFQuick3DQ3CQuickenQIF
QuillDOCRaddeveloperRADRaddeveloperRCS
RagtimeRTDRDFRDSWarriorINT
ReactionRDReactionRXNRealArcadeRGS
RealCADDRCADRealdrawRDWRealRAM
ReaperRPPRebelMVSRebelPCS
RebelRB2RegCleanerRLGRemoteKeysRKP
ReSourceRCLRhinoRWSRichardsBridgePBN
RigakuRASRocketbookRBRolandRLG
RTFSAP2000SDBSaxonSP
ScreenSwiftSSPSDIFSDTSDDF
SeeYouNDBSequenceGENBANKSequencerSRC
SettingContentSFXCALCSGRIDDLER
ShandaSNBShapefilePRJShelxRES
ShiftSHSiagOfficeSIAGSIDPLAYSID
SiemensLOGSietronicsCPISilkExplorerPEX
SimStructureSIMSlimShowSSSmartCAMSMF
SmartdrawSDRSmartnoteNOTsmARTWORKPCB
SNNSCFGSNNSNETSNNSPAT
SNNSRESSnoopTraceSNOOPSoftImageXSI
SolaceSVTSoldatBOTSosimapSOS
SpaceyesSPVSpectralSPASpectraSuitePROCSPEC
SplashIDVIDSplineSFDSQLWindowsAPT
SSHKeyStanfordOP2StarLogoSLOGO
StarLogoSLTNGStarOfficeStarViewSVM
StarWriterSDWStatisticaSCRStatisticaSTA
StatlerQLIStepManiaCRSSTKFN
STKGDStockholmSTKStudentWritingLT
StuntsDATStuntsTRACKSTWriterTXT
SupercalcCALSuperTuxSTSGSweetScape1BK
SwordsSHIPSECTIONSYLKSymantecGRD
SymantecQAIDXSymantecQAQWTSymbOSDOX
TagwriteTWWTCruiseTCDTDIFormatTXT
TeamviewerTVCTektronixEWFMTektronixTPG
TempusTWDTextmakerTMDTextpipeFLL
TextPlusTXPTheGraphicsStudioDATTheSpreadsheetTS1
ThinEdgeM15ThinmanagerDBTinkerplotsTP
TINspireTNSTINspireTNSPTIWorkbookTII
TK3eBookTK3TkSolverTKTNTMipsRVC
TomTomDATTopocadPXYTOPODAT
TorrentTotalAnnihilationFBITotalProjectPRJ
TPlotPLTTQSLCertTQ5TracerCADAK
TreeDBNotesTREEDBTreeGenerator3DTGFTreeGeneratorTGF
TRIMTR5TulipTLPTurbiscanLAB
TurboCDSKTurboDebuggerTD2TurboPascalDSK
TurboPascalHLPTurboprintTPMTurboSilverSCR
TwistMUCSCChainUCSCMAF
UCSCNETUCSCSNPUCSCWIG
UniqueSMPUniversalDataLinkURLX
USGSDOQ2VBDOSBASvCalendarVCS
vCardVCFVectorFieldOOMMFVectorMapCXF
VideoCreatorVIDVirtualCDVBLVirtViewerVV
VisiCADWKFVistaCameraSCRIPTVistaSES
VisualStudioDSPVisualStudioDSWVisualStudioPROJ
VisualStudioSLNVisualStudioVSZVivaSTORY
VuforiaQCARVuzeFileVUZEWAPBookmarkVBM
WavefrontMTLWeaponWEAPWebVideoVTT
Whisper32WSPWillMakerWW5WinampLKS
WinampM3UWinampQ1WinampSPS
WinCatCATWindevWDEWindowsCPX
WindowsNTBWineREGWinFlashFLS
WingzSCZWingzWKZWinkWNK
WinOnCDCPJWintecTK1WintecTK2
WintecTK3WintracWTFWinUAECACHE
WinWorksWohnungsPlanWDSWolfWOL
WordPerfectWordStar5WordStarTBL
WordStarWS2WorkbenchEWBWorksheetBuilderWSS
WorldConstructionCLDWorldConstructionOBJWorldConstructionPAR
WorldConstructionPREFSWorldConstructionPROJWorldConstructionWVE
WorldMachineDEVWorldMachinePREWorldMachineTMD
WritersBlockWBKWRLWS
XACTXAPXaraWIXXaraXWS
XCADSFTXemiComputersADCXenoDreamXEP
XilinxNGCXilinxNPLXMP
XPilotXP2XPlaneAFLXWindowsXPM
XWinPlotXWPYsFlightDNMYsFlightFLD
YsFlightSRFZBrushGOZZenographicsZJS
ZenWorksAXTZeroGZEGZeroXZCO
ZillionsZSGZilogZWSZXEditorZXE
ZXEditZED
AbilityAPXAbyssAEIACIS
ACRNEMAAdexIMGAdobeATF
AdorageADOAdvancedLayouterMUSAEC
AegisDRAWINGAegisGEOAIC
AIMPACS4AKVISSTROKESAladdin4D
Aladdin4DFALBAlchemyHSI
AlibreSTLAmapiA3DAmapiXSH
AmiDrawSDWAMIGRFXANI
ANIMagicMAPAOLARTApplauseG
ApplausePApplausePALAppleDFONT
ApplixwareAGArchiCADArmAModelP3D
ARRIRAWARIArtCAMARTArtCAMRLF
ArtsAndLettersGEDAtari3DAtariAPP
AtariCCIAtariGFBAtariINT
AtariMPPAtariPICAtariRGB
AtariRIPAtariSTICATFSTL
Autodesk3DSAutodeskCTBAutodeskDXF
AutodeskFBXAutodeskSHXAutodeskWIRE
AVIFAwardEPABCIF
BinvoxImageBINVOXBitmapAIPDBitmapBTPC
BitmapFGFBitmapG9BBitmapHRU
BitmapPCOBitmapZIFBlitzB3D
BlizzardBLPBlueScanBLSCBMP
BPGBrainSuiteDFSBRLCADG
BTFBugbitterBGPBYOBYSP
Cadent3DMCadStdCADCal3DCAF
Cal3DCMFCal3DCRFCal3DCSF
CalamusCFNCalamusCVGCallOfDutyIWI
CALSCameraProfileDNGCartesianCPC
CATIACaxaEXBCDR
CEGCGMChampionsCCI
ChasysCD5ChasysMATChemDrawCDX
CINCinemaScopeSEQCinespaceCSP
CloeCLOComputerEyesCE3CorelCLK
CorelCMXCorelDrawCDXCorelTEX
CosmicBLOBCPTCRW
CTFMEGMRICubicompB8CUR
CustomMaidMODELCWPALDAUBDOB
DCMDCXDDS
DeepMeshDPMDelcamDGKDelcamDMT
DelcamSTLDeluxePaintANMDemoMakerSEQ
DeskMateFIGDGNDmeshDMZ
DogwaffleLYRDogwaffleMIXDPX
DrawPlusDPPDrawStudioDSDRDrazlaceDRL
DreamcastPVRDuneGraphDC1DWF
DWGEagleBRDEaglePRO
eDrawingsEDRWEggPaintTRP
EgoPSSGEgosoftXMFElectronicArtsFSH
EMFEOTErdasLAN
ExpressGraphGRFExpression3SKSExpression3XPR
EXRExtraCADEZArtEZA
EzDrawJOYFarbfeldFFFastgrafPRF
FileEMPOFireAlpacaMDPFITS
FlashbackSPRFLIRFPFFloorPlanPlusFP
FontLabVFBFormZFractalFIF
FrameMakerFMVFreehandFHFunpaintFP2
FurcadiaFOXGemComGGPGEMImg
GeticBSPGeticGPMGeticGRF
GIFGigaScreenHLRGodot4BT
GOM3DG3DGpraherSBGFGraph2FontG2F
GraphicWorkshopTHNGreenfishGFIGrigonTEX
GRXFontFNTGSDrawGRFGTAYTD
HaikuHVIFHaikuNativeIconHardColorHCM
HarvardSYMHarvardSYWHDR
HEIFHemeraHPIHexagonHXN
HexelsHXLHitachiHRFHoopsHSF
HP49GRBHPGROHPPolynomialPTM
HSIHSTHTCSplashscreenRGB565IBMKIPS
IBMStoryBoardCAPICDRAWICNS
ICOIFSILDAILD
Image360desktop360ImageFLIFImageISS
ImageKIFImageKnifeRAWImageSoftIMG
ImageTCLImageworksSPI3DImgBurnIBG
IncredimailIM3IndyPaintTRUInfinityMOS
InfinityPLTInfinityTISInShapeIIM
IpainIPIPLBitmapIRISSC
JavelinModelMDLJB2JBBahnScenery
JBBahnVehicleJeffJIFJNG
JollyPrintJPSJPEGJPEG2000Codestream
JRALibraryJMGKahootzKTZKeyShotHDZ
KhronosKTXKidPixKPXKiriKiriTLG
KissKCFKolorKROKretzVOL
KwikDrawKWKLaserDRWLYZLaytonCFNT
LaytonCIMGLazPaintLZPLDrawLDW
LEADToolsLeagueOfLegendsANMLeagueOfLegendsSKL
LeonardoLEOLightscapeLPLightWaveLWO
LiveForSpeedCMXLogoMotionLGFLookAndFeelLNF
LotusFLGLotusFreeanceDRWLotusFreelanceCGM
LotusPICLudekLDMMacDrawDRW
MacintoshPICTMacKRAWMagicaVoxelModelRSVO
MagicaVoxelVOXMagicaVoxelXRAWMagicCameraMCE
MagickMPCMagicLanternDIFFMagicSPR
MagneticGFXMakichanMAGMalieGFMGF
MapletownMaxwellMayaIFF
MayaMAMayaMBMayaSWATCHES
MDDMediaShowPRODMegaPaintMPB
MegaPaintVEKMessiahStudioMPJMetasequoiaMQB
MetasequoiaMQPMicrografxDRWMicroMagicMMA
MIFFMilkShapeMS3DMiraMonMMZ
MisfitMM3DMNGModelDGF
MonarchMODMontagneCOLORMonuCadMCD
MotoRacerF3DMrSidSIDMRW
MSPaintMSPMSXMIGMultisim
NaiveBitmapNavisworksNWDNeoDeskNIC
NetImmerseNIFNIFTINIINintendoNANR
NintendoNCGRNokiaNGGNokiaNLM
NokiaNOLNokiaNPMNokiaNRW
NokiaNSLNomadsNTXNTitlerNT
NWiperNWObjectGraphicsOGLOLPC565
OlympusORFOS2BMPOS2CUR
OS2ICOPabloPaintPA3PaintNETPDN
PaintproPPPPaintShopProPSPPaintShopPSC
PALPCFPCLOSILK
PCXPebblePDCPGF
PhaseOneIIQPhoenixBMPPhoenixDDS
PhotoCDPCDPhotofiltrePFIPhotofiltrePFV
PhotoLinePLBPhotoLinePLDPhotoshopCSH
PhotoshopGRDPhotostudioPSFPiecewisePWC
PIImageMOTIVIPIImagePALPioneerLKD
PixArtPIXPixelmatorPXMPixiaPXA
PixieOKPixiePXIPlanePMBC
PlantWalkMODELPlaymationSEGPlaystationGIM
PlaystationP3TPMVXPMPNG
PNMPolychromePRFPolyfilm3D
PolyominoPCFPortfolioPGXPowerVRTexturePVR
PPrintCOLPPrintFRMPPrintIMA
PPrintPAGPPrintPATPraatPRAPIC
PrintShopPLYPrismPNTProShapePSP
PSPSDPsionMBM
PsionPICPsionSketchPWM
PWPQuickCADQuickDraw3DM
QuickDraw3DMFQuintusANIRAS
RasterMRFRAWRawzorRWZ
RDIBRealworldRLIRealworldRRI
RedSectorVECRembrandtTCPRenderWareRWX
RGBERhino3DMRicohJ6I
RIXRLETRERobinsonRTTEX
RolleiDCRSandiaGFFSatoriCVS
SeeYouCMRSFWBPMSFWJPEG
SFWJPEGType3SFWJPEGType4SGI
SGIYAODLYDLSGOShaperLUT3DL
ShareazaDATSignPlotSPSilkRoadDDJ
Silo3DSIBSKPSnagitSNAG
SomeraSGFSonnetSGRSourceANI
Spazio3DS3DSpeccySXGSpectraPaintsSTENCIL
SPIFST6AstrocameraST6ST6AstrocameraTBL
STADPACStatisticaSTGStrikeCommanderIFF
SunTAACSVGSxzImage
SymbOSSGXTaquartTIPTerragenTGO
TiEmuSKNTIFFTMF
TommySoftwareMPGTricksterNRITruevisionTGA
TTFTurboCADTCWTwistedMetalDPC
UleadPE4UnirastURFUnixBDF
UnrealUTXValveVTFVectorSVF
VectorworksVWXVellumVLMVeryOrdinaryVORT
VICARMAPVIFFVissimV3D
VistaBOOTSKINVisualSchnauzerP7VoxelTOX
VoxelVXLVoxlapANIMVoxlapKFA
VoxlapKV6VPHybridCADRVDWaltopTOP
WavelIWCWEBPWebshotsWB
WebshotsWBCWerescDTCWIC
WiiBRFNTWiiTPLWindowManagerCMU
Wings3DWINGSWinViewSPEWMF
WOFFWordStarWSFWorldStudio3DW
X3FXaraPGRXaraWEB
XaraXMSXboxXBXXCF
XCURXFIGVectorFIGXLPaintRAW
YamahaVGFYouiDrawYDRZBrushZTL
ZISRAWCZIZmodelerZ3DZonerBMI
ZonerBMIZonerZMFZXSpectrumCHR
ZXSpectrumMGZXSpectrumZXPZZROUGHRGH
4XMAdobeEAPAdobeFilmStripFLM
AegisMOTAegisPCAMAegisPMOT
ALRS264AmigaHVAMV
ARMovieRPLAstoundAWAAVI
BinkBIKBizHawkBKMBohemiaRTM
CompleteTCACorruptionTMVCryoHNM
DigitekNXVDiracDRCDolphinDTM
DOSWFDVIEmblazeEV2
EyemailEYEEZMovie3G2FamtasiaFMV
FinalBurnAlphaFRFreeMotionSQFFuseFMF
FutureVisionFSTGameCubeMTHGenetecG64
GremlinGDVHannaBarberaXSHHikvisionMP4
InterplayMVEIVFIVR
JPCRRJRSRKheopsKSVLightweightLVF
LotusSCMMacromediaDCRMacromediaDJR
MacromediaDXRMagicLanternMLVMagixMVD
MednafenMCMMetaMediaVEMMioMotionMIO
MKVMovieMaker3CNMovieMaker3MM
MovieMakerVMMMPGMythTVNUV
NancyNOANintendoTHPNSV
NuppelNUVOnlineTVROTRPlaystationPMF
ProVideoJOBPsygnosisVIDQuintusANI
R1MRaysMDARedcodeR3D
RMMPROQSavageANM
SegaFILMSigmaVideoSMVSilverSRC
StardockDREAMStreamSTLStuntsREPL
SWFSymbOSVIDTeamviewerTVS
TimeShiftTSVtrsvidTVTruePaintTPA
VideoMasterVIDVideoSANMVideoSER
VirtuaNESVMVVisualBoyVBMVividasVIV
VtechMJPWebExARFWebExWRF
WebMWestwoodVQAWingCommanderMVE
XDCXDVYUV4MPEG2Y4M
ActiveXASFAutodeskFLC
AWEOMTConaryPackageContainerXFBIN
CybikoCVCDaisyDSYDargonDPF
DynamixFNTDynamixMUSDynamixSCR
DynamixSNDDynamixTRKEAGamesAV
EkahauESSEmulatorUEFFLV
GameContainerSBFHaikuDeltaHPKGHALHPS
IFFLZ4MediaContainerMCF
MobiMobiBPMXF
NITFNUTOLE1.0
PalmDBPlaystationPSARCPsionAIF
QuickTimeRMFSims2PACK
Sims3PACKSingleFileSystemSFSSOL
StarlinkSDFTwistedMetalTPCVbinContainerVBIN
VivoVIVWindowsMediaWTVXZPContainerXZP
ynamixBMP

Supported Languages for PE and Document Formats

afrikaansenglish belizekannada
albanianenglish cankashmiri india
arabic algeriaenglish caribbeankashmiri sasia
arabic bahrainenglish eirekashmiri
arabic egyptenglish jamaicakazak
arabic iraqenglish nzkonkani
arabic jordanenglish philippineskorean
arabic kuwaitenglish south africakorean
arabic lebanonenglish trinidadkyrgyz
arabic libyaenglish uklatvian
arabic moroccoenglish uslithuanian classic
arabic omanenglish zimbabwelithuanian
arabic qatarenglishlithuanian
arabic saudi arabiaesperantomacedonian
arabic syriaestonianmalay brunei darussalam
arabic tunisiafaeroesemalay malaysia
arabic uaefarsimalay
arabic yemenfinnishmalayalam
arabicfrench belgianmaltese
armenianfrench canadianmanipuri
assamesefrench luxembourgmaori
azeri cyrillicfrench monacomarathi
azeri latinfrench swissmongolian
azerifrenchnepali india
basquefrenchnepali
belarusiangaelic manx gaelic scottishneutral
bengaligaelicnorwegian bokmal
bretongaelicnorwegian nynorsk
bulgariangaliciannorwegian
catalangeorgianoriya
chinese hongkonggerman austrianpolish
chinese macaugerman liechtensteinportuguese brazilian
chinese simplifiedgerman luxembourgportuguese
chinese singaporegerman swissportuguese
chinese traditionalgermanpunjabi
chinesegermanrhaeto_romance
cornishgreekromanian moldavia
croatiangujaratiromanian
croatianhebrewromanian
czechhindirussian moldavia
danishhungarianrussian
defaulticelandicrussian
divehiindonesiansaami
dutch belgianinvariantsanskrit
dutch surinamitalian swissserbian cyrillic
dutchitalianserbian latin
dutchitalianserbian
english ausjapanesesindhi
slovakspanish perutswana
slovenianspanish puerto ricoturkish
sorbianspanish uruguayukrainian
spanish argentinaspanish venezuelaurdu india
spanish boliviaspanishurdu pakistan
spanish chilespanishurdu
spanish colombiasutuuzbek cyrillic
spanish costa ricaswahiliuzbek latin
spanish dominican republicswedish finlanduzbek
spanish ecuadorswedishvenda
spanish el salvadorswedishvietnamese
spanish guatemalasyriacwalon
spanish hondurassys defaultwelsh
spanish mexicantamilxhosa
spanish moderntatarzulu
spanish nicaraguatelugu
spanish panamathai
spanish paraguaytsonga

Supported Tags

Generic tags - can be applied to many file formats

access-control-informationThe file contains access control descriptors such as file permissions, group memberships or similar information about a securable object
anonymous-emailThe file contains e-mail addresses from anonymous e-mail providers
cert-appendixThe file contains additional data after the certificate
cert-bad-timestampThe file is digitally signed with a certificate that has a bad timestamp
cert-cross-signedThe file is digitally signed with Microsoft cross-certificate for kernel mode code signing
cert-dual-signedThe file is digitally signed with two signatures that independently verify file integrity
cert-expiredThe file’s certificate chain has at least one expired certificate
cert-impersonateThe file is digitally signed with a certificate that impersonates one of well-known entities (e.g. Microsoft or Google)
cert-invalidThe file was signed with an invalid certificate (it didn’t pass the validation process)
cert-malformedThe file is digitally signed with a certificate that was malformed
cert-revokedThe file is digitally signed with a certificate that has been revoked
cert-revoked-aa-compromiseThe file is digitally signed with a certificate that has been revoked due to AA compromise
cert-revoked-affiliation-changedThe file is digitally signed with a certificate that has been revoked due to change in affiliation
cert-revoked-ca-compromiseThe file is digitally signed with a certificate that has been revoked due to CA compromise
cert-revoked-cert-holdThe file is digitally signed with a certificate that has been put on hold (the signer has been suspended)
cert-revoked-cessation-of-operationThe file is digitally signed with a certificate that has been revoked because the signer has ceased its operations
cert-revoked-key-compromiseThe file is digitally signed with a certificate that has been revoked due to private key compromise
cert-revoked-privilege-withdrawnThe file is digitally signed with a certificate that has been revoked because the signer privilege has been withdrawn
cert-revoked-remove-from-crlThe file is digitally signed with a certificate that has been removed from the revocation list
cert-revoked-supersededThe file is digitally signed with a certificate that has been revoked because it has been superseded
cert-revoked-unspecifiedThe file is digitally signed with a certificate that has been revoked due to unspecified reason
cert-self-signedThe file is digitally signed with a self-signed certificate (e.g. JAR or APK)
cert-signedThe file is digitally signed with a certificate (signature may or may not be valid)
cert-signed-after-expirationThe file was digitally counter-signed after at least one certificate in certificate chain expired
cert-signed-after-revocationThe file is digitally signed with a certificate that has been revoked at the time of signing
cert-untrustedThe file is digitally signed with a certificate that is valid, but its root CA certificate is not in the Spectra Core certificate store
cert-weak-cryptoThe file was digitally signed with certificates using an old hashing algorithm (e.g. MD5) or with a short key
contains-api-keyThe file contains an API key used to authenticate a user, developer, or calling program to an API
contains-archiveThe file contains one or more archive files (such as ZIP, RAR, Jar)
contains-documentThe file contains one or more document files
contains-elfThe file contains one or more ELF (Executable and Linkable Format) files
contains-key-secret-pairThe file contains plaintext credentials, generally used for authentication
contains-machoThe file contains one or more Mach-O files
contains-peThe file contains one or more PE (Portable Executable) files
contains-private-key-encryptedThe file contains an encrypted PKI private key
contains-private-key-plaintextThe file contains a PKI private key
contains-scriptThe file contains one or more script files
contains-tokenThe file contains an access or refresh token generally used for authentication
contains-webhookThe file contains a private webhook which may contain sensitive information
cryptocurrencyThe file has cryptocurrency-related indicators (e.g. accesses BitCoin wallet files)
ddeThe file has Dynamic Data Exchange capabilities that may be used to interact with other applications
desktopThe file appears to be a desktop application (e.g. PE or ELF)
email-outlookThe file has Outlook-related indicators (e.g. accesses mailbox files, credentials)
email-patternThe file has generic e-mail-related indicators (e.g. accesses mailbox files, credentials)
email-thunderbirdThe file has Thunderbird-related indicators (e.g. accesses mailbox files, credentials)
encryptedContains encrypted files (e.g. password-protected archive)
entropy-highThe file has unusually high entropy (i.e. entropy > 7)
entropy-zeroThe file is zero-filled (full of 00 bytes)
exifThe file has EXIF metadata (such as camera information or GPS metadata)
geotaggingThe file has EXIF metadata containing GPS coordinates
guid-activex-killbitThe file contains ActiveX GUIDs with the Kill-Bit flag set
im-skypeThe file has Skype-related indicators (e.g. accesses chat history, credentials)
image-corruptThe image is corrupt because of some format discrepancy (e.g. invalid segment size)
image-malformedThe image is malformed (e.g. frame dimension is zero)
image-segment-duplicateThe image has a duplicate segment
image-segment-unexpected-locationAn image segment has been found in an unexpected location
image-segment-unknownAn unknown image segment has been encountered
linguistThe file’s subtype was determined by a ReversingLabs machine learning model
machine-learningThe file was classified by a ReversingLabs machine learning model
nsis-table-invalid-offsetThe NSIS installer is corrupt due to invalid table offset
nsis-table-invalid-sizeThe NSIS installer is corrupt due to invalid table size
ntfs-alternate-data-streamThe file contains data which was part of an NTFS Alternate Data Stream
obfuscatedThe file contains obfuscated code or data
probably-packedA heuristic method determined that the PE file may be packed
overlayThe file has an overlay (appended data at the file’s end) - applies only to PE files
passwordThe file is password-protected (e.g. a password-protected archive)
ransomware-artifactThe file contains artifacts associated with ransomware (e.g. mail addresses, domains)
ransomware-encryptedThe file was encrypted by known ransomware (e.g. TeslaCrypt encrypted files)
scriptThe file appears to be a script (e.g. shell or Javascript)
sql-queryThe file contains generic SQL queries
ssh-keyThe file can use or modify SSH keys
stegoThe file is a result of stego extraction
stego-compressedThe file contains compressed embedded PE files
stego-embeddedThe file contains plain embedded PE files
stego-encodedThe file contains encoded embedded PE files
stego-encryptedThe file contains encrypted embedded PE files
uri-banking-websiteThe file contains URLs related to banking and monetary institutions
uri-coinmining-domainThe file contains URLs related to coinmining services
uri-credentialsThe file contains URLs that embed sign-in credentials in plaintext due to protocol requirements
uri-deceptive-fileThe file contains URLs that point to executable content hidden behind double extensions
uri-domain-blacklistedThe file contains URLs that point to a known blacklisted domain
uri-domain-homoglyphThe file contains URLs that try to trick the user into thinking they are visiting a trusted domain
uri-domain-punycodeThe file contains URLs that try to trick the user into thinking they are visiting a trusted domain
uri-domain-spoofedThe file contains URLs that try to trick the user into thinking they are visiting a trusted domain
uri-domain-typosquatThe file contains URLs that try to trick the user into thinking they are visiting a trusted domain
uri-dynamic-dnsThe file contains URLs pointing to domains hosted on dynamic DNS
uri-hostname-lengthThe file contains URLs pointing to domains that are unusually long
uri-interesting-fileThe file contains URLs that point to interesting files or file extensions
uri-ip-addressThe file contains URLs pointing to webservers hosted on IP addresses
uri-malicious-redirectThe file contains URLs that redirect to malicious domains
uri-malware-regexThe file contains URLs that match a known malware regex pattern
uri-onion-websiteThe file contains URLs pointing to domains hosted on TOR network
uri-open-redirectThe file contains URLs that redirect to other domains
uri-path-lengthThe file contains URLs pointing to paths that are unusually long
uri-path-spoofedThe file contains URLs that point to a known sign-in path but don’t reside on the trusted domain
uri-security-websiteThe file contains URLs related to security product vendors
uri-shortenedThe file contains shortened URLs
uri-subdomain-countThe file contains URLs pointing to paths that contain excessive number of subdomains
uri-suspicious-pathThe file contains URLs that contain a suspicious path section
uri-suspicious-portThe file contains URLs that utilize non-standard ports for the specified protocol
uri-suspicious-queryThe file contains URLs that include suspicious SQL query commands
uri-suspicious-tldThe file contains URLs pointing to domains hosted on suspicious TLDs

Behavior tags - describe behavior of executables, documents, scripts, and mobile applications

account-settings-tamperThe file can tamper with user account settings
autorunThe file can tamper with autorun settings (e.g. autorun registry keys, autorun locations)
av-disableThe file can disable services related to security products
av-impersonateThe file can impersonate services related to security products
av-service-detectThe file can detect services related to security products
av-tamperThe file can tamper with services related to security products
backup-tamperThe file can tamper with backup (e.g. erases backup copies, tampers with backup settings)
bitlocker-tamperThe file can tamper with BitLocker settings
data-exfiltrationThe file can exfiltrate various data (e.g. stored credentials, mailbox files, configuration data)
dns-tamperThe file can tamper with DNS configuration
dns-useThe file can use the DNS protocol (e.g. issues DNS queries, locates network services)
file-downloadThe file has the capability to download files
file-uploadThe file has the capability to upload files
firewall-tamperThe file can tamper with firewall settings
ftp-useThe file can use the FTP protocol (e.g. to upload files, to download files)
hosts-modifierThe file can tamper with hosts file or registry keys
impersonate-nativeThe file can impersonate native services (e.g. impersonates Windows Explorer)
irc-useThe file can use the IRC communication protocol
log-tamperThe file can tamper with logging configuration or log files
netntlm-hash-leakThe file contains references to SMB resources that leak NetNTLM hashes
network-settings-tamperThe file can tamper with network settings
nfs-tamperThe file can tamper with NFS settings
privacy-intrusionThe file has indicators related to privacy intrusion (e.g. takes screenshots, monitors users input)
privilege-escalationThe file has the capability to elevate user privileges
process-injectionThe file has the capability to write into other processes
process-terminationThe file can terminate other processes
proxyThe file can access or modify proxy settings
registry-tamperThe file can tamper with the registry
security-settings-tamperThe file can tamper with various security settings (e.g. security or audit policies)
service-disableThe file can disable services
smb-tamperThe file can tamper with the SMB protocol
startup-tamperThe file can tamper with startup settings (e.g. Windows bootup process)
storage-settings-tamperThe file can tamper with storage settings
storage-tamperThe file can tamper with external storage
uac-bypassThe file can bypass User Account Control
update-disableThe file can disable update services
virtualization-settings-tamperThe file can tamper with virtualization settings
vpn-tamperThe file can tamper with VPN settings
vpn-useThe file has the capability to use VPN
web-requestThe file has the capability to generate web requests
wmi-useThe file can use Windows Management Instrumentation (WMI)

Application-related tags - apply only to files with application metadata (PE, ELF, OSX, DEX, …)

arch-mipsThe file’s target CPU architecture is MIPS
arch-powerpcThe file’s target CPU architecture is PowerPC
arch-sparcThe file’s target CPU architecture is SPARC
arch-x86The file’s target CPU architecture is x86
arch-x86-64The file’s target CPU architecture is x86-64
arch-arm-64The file’s target CPU architecture is ARM64
arch-armThe file’s target CPU architecture is ARM
codeviewThe application has debugging symbols metadata
cuiThe application uses Console User Interface subsystem (applies to PE files)
force-integrityThe file has integrity protection checks that prevent execution on change
guiThe application uses Graphical User Interface subsystem (applies to PE files)
installerThe file is an installer package
installer-pluginThe file is used only temporarily to provide additional functionality during the installation procedure
library-adThe application contains advertising-related libraries (e.g. Adfonic)
library-analyticsThe application contains advertising and usage analytics-related libraries (e.g. Google Analytics)
library-audioThe application contains audio playback related libraries (e.g. Vorbis)
library-browserThe application contains browser-related libraries
library-cloudThe application contains cloud networking-related libraries (e.g. Dropbox)
library-compressionThe application contains compression-related libraries (e.g. Zip)
library-cryptoThe application contains cryptography-related libraries (e.g. OAuth)
library-databaseThe application contains database-related libraries (e.g. MySQL)
library-developmentThe application contains development-related libraries
library-driverThe application contains driver-related libraries
library-educationalThe application contains education-related libraries
library-emailThe application contains email-related libraries
library-entertainmentThe application contains entertainment-related libraries
library-gamingThe application contains gaming-related libraries
library-graphicsThe application contains drawing or rendering libraries (e.g. Unity)
library-messagingThe application contains network messaging-related libraries (e.g. RabbitMQ)
library-multimediaThe application contains multimedia-related libraries (e.g. Amazon Game Circle)
library-networkingThe applications contains network communication-related libraries (e.g. curl)
library-productivityThe application contains productivity-related libraries
library-securityThe application contains security-related libraries
library-socialThe application contains social networking-related libraries (e.g. Facebook)
library-utilityThe application contains programming utility libraries (e.g. ICU)
library-virtualizationThe application contains virtualization-related libraries
lolbinThe file was identified as a LoLBin (living-off-the-land binary)
pluginThe application is plugin for particular software
protection-aslrThe file has the Address Space Layout Randomisation exploit protection enabled
protection-depThe file has the Data Execution Prevention exploit protection enabled
protection-ehcThe file has the Exception Handling Continuation exploit protection enabled
protection-cfgThe file has the Control Flow Guard exploit protection enabled
protection-retThe file has the Retpoline exploit protection enabled
protection-rfgThe file has the Return Flow Guard exploit protection enabled
protection-mpxThe file has the Intel Memory Protection guard enabled
protection-xfgThe file has the Extreme Flow Guard exploit protection enabled
protection-cetThe file has the Intel Control-Flow Enforcement Technology guard enabled
protection-sdlThe file has been compiled to follow the Secure Development Lifecycle guidelines
protection-sehThe file has safe exception handling protection enabled
protection-stackThe file has buffer overrun exploit protection enabled
packedThe application is packed with a known packer (e.g. with UPX)
rich-headerThe application has rich header metadata (applies to PE files)
reproducible-buildThe application has been compiled in a reproducible way which invalidates all timestamps
sfxThe file is a self-extracting archive (an application that embeds an archive)
taggantThe application has Taggant-related metadata
tool-hacktoolThe application is used to assist hacking
tool-steganographyThe application has steganography capabilities
uefiThe application is designed for the UEFI subsystem (applies to PE files)
uninstallerThe application is uninstaller for particular software
unsupported-applicationThe application is deprecated and no longer supported by vendor
updaterThe application is updater for particular software
version-infoThe application has version information metadata
vulnerable-with-cveThe application has vulnerability with assigned CVE
vulnerable-without-cveThe application has vulnerability without assigned CVE
xboxThe application is designed for the XBOX subsystem (applies to PE files)

Mobile-related tags - apply only to mobile applications

android-cupcakeThe mobile application uses the Android API level 3
android-donutThe mobile application uses the Android API level 4
android-eclairThe mobile application uses the Android API levels 5 to 7
android-froyoThe mobile application uses the Android API level 8
android-gingerbreadThe mobile application uses the Android API levels 9 to 10
android-honeycombThe mobile application uses the Android API levels 11 to 13
android-ice-cream-sandwichThe mobile application uses the Android API levels 14 to 15
android-jelly-beanThe mobile application uses the Android API levels 16 to 18
android-kitkatThe mobile application uses the Android API levels 19 to 20
android-lollipopThe mobile application uses the Android API levels 21 to 22
android-marshmallowThe mobile application uses the Android API level 23
android-nougatThe mobile application uses the Android API levels 24 to 25
android-oreoThe mobile application uses the Android API levels 26 to 27
android-pieThe mobile application uses the Android API level 28
android-10The mobile application uses the Android API level 29
android-11The mobile application uses the Android API level 30
mobileThe file appears to be a mobile application (e.g. Android APK or Windows Phone applications)
mobile-custom-permissionsThe mobile application has user-defined permissions
mobile-data-accessThe mobile application can read and write to the external storage on the device
mobile-deprecatedThe mobile application can abuse permissions from deprecated APIs
mobile-gpsThe mobile application can access location services
mobile-infostealerThe mobile application can access and read information such as call logs, contacts, calendars…
mobile-loggingThe mobile application can read and modify call logs
mobile-settingsThe mobile application can change system settings on the device
mobile-smsThe mobile application can read, write, or receive SMS messages
mobile-telcoThe mobile application can access and use the telecom connection service
mobile-voicemailThe mobile application can access and send voicemail messages

Malware tags - identify malware types and refer to other malware metadata

backdoorThe malware was identified as a backdoor
c2The malware has an embedded malware/data configuration (e.g. C2 info or mutex)
custom-packedThe file appears to be packed with a custom packer
downloaderThe malware was identified as a downloader
keyloggerThe malware was identified as a keylogger
posThe malware was identified as a point-of-sale malware
ransomwareThe malware was identified as ransomware

Packer tags - refer to packer-related metadata

antidebuggingThe file uses anti-debugging techniques
antidumpingThe file uses anti-dumping techniques
antiemulationThe file uses anti-emulation techniques
antisandboxThe file uses anti-sandbox techniques
antitracingThe file uses anti-tracing techniques
fake-signatureThe file uses fake signatures to thwart signature-based identification
import-eliminationThe packed file eliminates or has eliminated its import information
import-redirectionThe packed file redirects imports to make unpacking harder
pe-compressionThe file has a compressed payload/configuration
pe-encryptionThe file has an encrypted payload/configuration
pe-encryption-rc4The file uses RC4 to encrypt the payload/configuration
pe-encryption-teaThe file uses TEA to encrypt the payload/configuration
polymorphicThe file was packed with a polymorphic packer
remove-epThe packed file has a stolen original entry point
remove-headerThe packed file removes the PE header during unpacking to make unpacking harder
tamper-protectionThe file checks for signs of modification to make unpacking harder

Browser tags - refer to browser-related metadata

brave-referenceThe file contains references to Brave or Brave-related data (e.g. accesses settings, contains Brave user agent strings)
chrome-referenceThe file contains references to Chrome or Chrome-related data (e.g. accesses settings, contains Chrome user agent strings)
chrome-tamperThe file can tamper with Chrome or Chrome-related settings (e.g. performs process injection into the Chrome executable)
chromium-referenceThe file contains references to Chromium or Chromium-related data (e.g. accesses settings, contains Chromium user agent strings)
chromium-tamperThe file can tamper with Chromium or Chromium-related settings (e.g. performs process injection into the Chromium executable)
edge-referenceThe file contains references to Microsoft Edge or Microsoft Edge-related data (e.g. accesses settings, contains Microsoft Edge user agent strings)
firefox-referenceThe file contains references to Firefox or Firefox-related data (e.g. accesses settings, contains Firefox user agent strings)
firefox-tamperThe file can tamper with Firefox or Firefox-related settings (e.g. performs process injection into the Firefox executable)
internet-explorer-referenceThe file contains references to Internet Explorer or Internet Explorer-related data (e.g. accesses settings, contains Internet Explorer user agent strings)
internet-explorer-tamperThe file can tamper with Internet Explorer or Internet Explorer-related settings (e.g. performs process injection into the Internet Explorer executable)
netscape-referenceThe file contains references to Netscape or Netscape-related data (e.g. accesses settings, contains Netscape user agent strings)
netscape-tamperThe file can tamper with Netscape or Netscape-related settings (e.g. performs process injection into the Netscape executable)
opera-referenceThe file contains references to Opera or Opera-related data (e.g. accesses settings, contains Opera user agent strings)
opera-tamperThe file can tamper with Opera or Opera-related settings (e.g. performs process injection into the Opera executable)
safari-referenceThe file contains references to Safari or Safari-related data (e.g. accesses settings, contains Safari user agent strings)
safari-tamperThe file can tamper with Safari or Safari-related settings (e.g. performs process injection into the Safari executable)
seamonkey-referenceThe file contains references to SeaMonkey or SeaMonkey-related data (e.g. accesses settings, contains SeaMonkey user agent strings)
vivaldi-referenceThe file contains references to Vivaldi or Vivaldi-related data (e.g. accesses settings, contains Vivaldi user agent strings)
waterfox-referenceThe file contains references to Waterfox or Waterfox-related data (e.g. accesses settings, contains Waterfox user agent strings)
yandex-referenceThe file contains references to Yandex or Yandex-related data (e.g. accesses settings, contains Yandex user agent strings)

Classification tags - apply only to classified files

cert-blacklistedThe file was digitally signed with a blacklisted certificate
cert-whitelistedThe file was digitally signed with a whitelisted certificate
cloudThe file was classified by ReversingLabs Malware Presence (e.g. the hash is a well-known threat)
exploitThe file was classified by Spectra Core exploit detection from an unpacker or a validator (e.g. RTF)
graylistingThe file was classified by graylisting (e.g. an archive containing only text files)
hierarchy-analyzerThe file was classified by Spectra Core file hierarchy analysis (e.g. embedded executables within a document format)
image-analyzerThe file was classified by Spectra Core image analyzer (e.g. suspicious data was found within an image)
riccThe file was classified by Spectra Core RICC (e.g. RHA classification, RICC rule classifications)
signatureThe file was classified by Spectra Core signature
antivirusThe file was classified by an AntiVirus component
ng-antivirusThe file was classified by a NextGen AntiVirus component
yaraThe file was classified by a YARA rule

Capability tags - refer to capabilities of executables, documents, and mobile applications

capability-advertisingThe file has advertising-related capabilities (e.g. AdMob) - applies to documents and mobile formats
capability-bluetoothThe file can use Bluetooth to communicate with other devices - mobile-specific tag
capability-cameraThe file has access to the camera - applies to documents and mobile formats
capability-cryptographyThe file has cryptography-related capabilities (e.g. it can encrypt or hash data and files)
capability-deprecatedThe file uses deprecated APIs
capability-embedsThe file has other files embedded within (e.g. an iframe or an OLE object) - document-specific tag
capability-executionThe file has execution-related capabilities (e.g. an application can spawn new processes or threads)
capability-filesystemThe file has filesystem-related capabilities (e.g. it can open and read files)
capability-identificationThe file has access to user or device identity - mobile-specific tag
capability-microphoneThe file has access to the microphone - applies to documents and mobile formats
capability-networkingThe file has networking-related capabilities (e.g. it can open a socket and send/receive data)
capability-nfcThe file can use Near Field Communication (NFC) to communicate with other devices - mobile-specific tag
capability-scriptingThe file uses a scripting language (e.g. a document contains and uses macros) - document-specific tag
capability-securityThe file has security-related capabilities
capability-socialThe file has access to social components or providers (e.g. Facebook) - applies to documents and mobile formats
capability-undocumentedThe file uses undocumented functions
capability-vpnThe file can access VPNs - mobile-specific tag
capability-walletThe file has access to user’s wallet - mobile-specific tag

Indicator tags - refer to indicators found in executables, documents, scripts, and mobile applications

An indicator tag will be emitted by Spectra Core only if the priority of a particular indicator is not low (i.e. priority > 3).

indicator-anomalyThe file contains unusual characteristics (e.g. contains known whitelisted executable filenames)
indicator-autostartThe file tampers with autostart settings (e.g. tampers with autorun locations)
indicator-behaviorThe file automatically executes activities as a user (e.g. changes username or password, prints a document)
indicator-disableThe file disables system services (e.g. tampers with Windows Update)
indicator-documentThe file exhibits unusual activities when handling documents (e.g. PDF that creates new documents)
indicator-evasionThe file tries to evade common debuggers, sandboxes or analysis tools (e.g. VM environment detection)
indicator-executionThe file creates other processes or starts other applications (e.g. creates a service, installs system drivers)
indicator-exploitThe file contains known exploits against the system
indicator-familyThe file is associated with known malicious families
indicator-fileThe file accesses other files on the filesystem in an unusual way (e.g. creates a cryptographic hash of file contents)
indicator-flowThe file leaks sensitive information to external hosts or creates new files with sensitive data (e.g. exports PDF form fields to files)
indicator-macroThe file contains or executes macro functions or scripts (e.g. contains UNIX shell scripts, executes actions associated with bookmarks)
indicator-memoryThe file tampers with memory of foreign processes (e.g. does process injection)
indicator-monitorThe file has the ability to monitor host activities (e.g. accesses a list of logged on users)
indicator-networkThe file has network-related indicators (e.g. downloads a file, tampering with DNS settings)
indicator-packerThe file contains obfuscated or encrypted code or data (e.g. base64 encoded streams)
indicator-payloadThe file extracts and launches new behavior in an unusual way (e.g. injects CSS into a page)
indicator-permissionsThe file tampers with or request additional permissions for execution (e.g. tampers with user/account privileges)
indicator-registryThe file accesses registry and configuration files in an unusual way (e.g. tampers with Windows registry settings)
indicator-searchThe file enumerates or collects information from a system (e.g. enumerates network shares or mounted drives)
indicator-settingsThe file accesses or tampers with system settings (e.g. enumerates system information)
indicator-signatureThe file matches a known signature (e.g. contains known compression libraries, HTTP header fields)
indicator-stealThe file steals and leaks sensitive information (e.g. accesses Outlook account information and address book)
indicator-stealthThe file tries to hide its presence (e.g. tampers with window transparency settings, tampers with firewall settings)

String tags - related to Spectra Core interesting strings

string-fileThe file contains interesting strings related to the file URI scheme
string-scpThe file contains SCP-related interesting strings
string-calltoThe file contains interesting strings related to the CallTo communication protocol
string-h323The file contains interesting strings related to the H.323 multimedia communication protocol
string-webcalThe file contains interesting strings related to iCalendar files
string-ftpThe file contains FTP-related interesting strings
string-httpThe file contains HTTP-related interesting strings
string-httpsThe file contains HTTPS-related interesting strings
string-mailtoThe file contains mailto-related interesting strings
string-sftpThe file contains SFTP-related interesting strings
string-sipThe file contains SIP-related interesting strings
string-sshThe file contains SSH-related interesting strings
string-telnetThe file contains Telnet-related interesting strings

Compression and crypto tags - related to identified compression and crypto content

compression-brotliThe file has content related to Brotli compression algorithm
compression-bzip2The file has content related to BZip2 compression algorithm
compression-deflateThe file has content related to Deflate compression algorithm
compression-dickyThe file has content related to Dicky compression algorithm
compression-gipfeliThe file has content related to Gipfeli compression algorithm
compression-gzipThe file has content related to GZip compression
compression-inflateThe file has content related to Inflate compression algorithm
compression-lz4The file has content related to LZ4 compression algorithm
compression-lzfseThe file has content related to LZFSE compression algorithm
compression-lzhufThe file has content related to LZHUF compression algorithm
compression-lzmaThe file has content related to LZMA compression algorithm
compression-ncompress42The file has content related to Ncompress42 compression algorithm
compression-pithyThe file has content related to Pithy compression algorithm
compression-pkzipThe file has content related to PKZIP compression algorithm
compression-pucrunchThe file has content related to Pucrunch compression algorithm
compression-snappyThe file has content related to Snappy compression algorithm
compression-unlzxThe file has content related to UnLZX compression algorithm
compression-unrarlibThe file has content related to unrarlib compression algorithm
compression-zipThe file has content related to Zip compression
compression-zlibThe file has content related to Zlib compression algorithm
compression-zstdThe file has content related to Zstd compression algorithm
crypto-acssThe file has content related to ACSS algorithm
crypto-adler-crc32The file has content related to Adler-32 algorithm
crypto-base32The file has content related to Base32 algorithm
crypto-base64The file has content related to Base64 algorithm
crypto-base64urlThe file has content related to Base64URL algorithm
crypto-bcryptThe file has content related to BCrypt algorithm
crypto-bhencodeThe file has content related to Bhencode algorithm
crypto-blakeThe file has content related to Blake algorithm
crypto-blowfishThe file has content related to Blowfish algorithm
crypto-bmw512The file has content related to BMW-512 algorithm
crypto-botanThe file has content found in Botan cryptography library
crypto-camelliaThe file has content related to Camellia algorithm
crypto-castThe file has content related to CAST algorithm
crypto-cast256The file has content related to CAST-256 algorithm
crypto-clefiaThe file has content related to CLEFIA algorithm
crypto-collisionThe file contains blocks used in SHA-1 collision attacks
crypto-crc32The file has content related to CLEFIA algorithm
crypto-cryptlibThe file has content found in Cryptlib cryptography library
crypto-cryptoppThe file has content found in Cryptopp (Crypto++) cryptography library
crypto-desThe file has content related to DES algorithm
crypto-desxThe file has content related to DESX algorithm
crypto-dsaThe file has content related to Digital Signature Algorithm (DSA)
crypto-eccThe file has content related to Elliptic-curve cryptography (ECC)
crypto-frogThe file has content related to FROG algorithm
crypto-gnupgThe file has content found in GnuPG cryptography library
crypto-gnutlsThe file has content found in GnuTLS cryptography library
crypto-gostThe file has content related to GOST algorithm
crypto-havalThe file has content related to HAVAL algorithm
crypto-hmacThe file has content related to HMAC algorithm
crypto-ikeThe file has content related to Internet Key Exchange (IKE)
crypto-kasumiThe file has content related to KASUMI algorithm
crypto-keccakThe file has content related to Keccak algorithm
crypto-marsThe file has content related to MARS algorithm
crypto-md2The file has content related to MD2 algorithm
crypto-md4The file has content related to MD4 algorithm
crypto-md5The file has content related to MD5 algorithm
crypto-md5macThe file has content related to MD5-MAC algorithm
crypto-misty1The file has content related to Misty1 algorithm
crypto-misty2The file has content related to Misty2 algorithm
crypto-naclThe file has content found in NaCl cryptography libray
crypto-nettleThe file has content found in Nettle cryptography library
crypto-noekeonThe file has content related to NOEKEON algorithm
crypto-nssThe file has content found in NSS cryptography library
crypto-nushThe file has content related to NUSH algorithm
crypto-openbsd-base64The file has content related to OpenBSD Base64 algorithm
crypto-opensslThe file has content found in OpenSSL cryptography library
crypto-pbkdf2The file has content related to PBKDF2 algorithm
crypto-pkcsThe file has content related to Public Key Cryptography Standards (PKCS)
crypto-rawdesThe file has content related to RawDES algorithm
crypto-rc2The file has content related to RC2 algorithm
crypto-rijndaelThe file has content related to AES (Rijandel) algorithm
crypto-ripemd128The file has content related to RIPEMD-128 algorithm
crypto-ripemd160The file has content related to RIPEMD-160 algorithm
crypto-ripemd256The file has content related to RIPEMD-256 algorithm
crypto-ripemd320The file has content related to RIPEMD-320 algorithm
crypto-rsaThe file has content related to RSA algorithm
crypto-rtssThe file has content related to Robust Threshold Secret Sharing (RTSS)
crypto-saferThe file has content related to SAFER algorithm
crypto-salsa20The file has content related to Salsa20 algorithm
crypto-seedThe file has content related to SEED algorithm
crypto-serpentThe file has content related to Serpent algorithm
crypto-sha1The file has content related to SHA-1 algorithm
crypto-sha224The file has content related to SHA-224 algorithm
crypto-sha256The file has content related to SHA-256 algorithm
crypto-sha384The file has content related to SHA-384 algorithm
crypto-sha512The file has content related to SHA-512 algorithm
crypto-sharkThe file has content related to Shark algorithm
crypto-siphashThe file has content related to SipHash algorithm
crypto-skeinThe file has content related to Skein algorithm
crypto-skipjackThe file has content related to Skipjack algorithm
crypto-sms4The file has content related to SMS4 algorithm
crypto-sosemanukThe file has content related to Sosemanuk algorithm
crypto-squareThe file has content related to Square algorithm
crypto-tigerThe file has content related to Tiger algorithm
crypto-tripledesThe file has content related to TripleDES algorithm
crypto-turingThe file has content related to Turing algorithm
crypto-twofishThe file has content related to Twofish algorithm
crypto-unicornThe file has content related to Unicorn algorithm
crypto-uuencodeThe file has content related to UUencode algorithm
crypto-wakeThe file has content related to Wake algorithm
crypto-whirlpoolThe file has content related to Whirlpool algorithm
crypto-x509The file has content related to X.509 standard
crypto-xxencodeThe file has content related to XXencode algorithm

Email specific tags - related to email content

email-deceptive-senderThe display name of one of the senders contains a string resembling an email address with a domain different from the specified email address
email-returnpath-mismatchThe “Return-Path” header contains an email address with a domain that is different from the domain of the sender
email-replyto-mismatchThe “Reply-To” header contains an email address with a domain that is different from the domain of the sender
email-sender-mismatchThe “Sender” header contains an email address with a domain that is different from the domain specified in the “From” header
email-envelopefrom-mismatchThe “X-Envelope-From” header contains an email address with a domain that is different from the domain of the sender
email-receivedtime-mismatchThe “Date” header indicates a time that is in the future or more than 1 hour before the time specified in the “Received” header
email-spf-failHeaders indicate that the SPF (Sender Policy Framework) check has failed
email-dkim-failHeaders indicate that the DKIM (Domain Keys Identified Mail) check has failed
email-dmarc-failHeaders indicate that the DMARC (Domain-based Message Authentication, Reporting & Conformance) check has failed
email-pgpEmail is signed and/or encrypted using “Pretty Good Privacy”
email-smimeEmail is signed and/or encrypted using “Secure/Multipurpose Internet Mail Extensions”
email-attachmentEmail contains at least one attachment
email-deceptive-extensionEmail attachment contains multiple extensions (eg. “file.doc.exe”)
email-body-plainContent of email body is available in plain text format
email-body-rtfContent of email body is available in RTF format
email-body-htmlContent of email body is available in HTML format
email-impersonationThe display name of one of the senders impersonates a popular service
email-signature-impersonationEmail contents impersonate an email commonly sent by a popular service
email-urgencyEmail contains multiple phrases that imply a sense of urgency
email-sensitive-topicEmail contains multiple phrases related to sensitive topics
email-hidden-textEmail contains a hidden block of text designed to trick classification systems
email-subject-spamEmail subject contains phrases common to spam messages
email-subject-phishingEmail subject is commonly used in phishing messages
email-anonymous-providerEmail is sent using an anonymous email provider

Format specific tags - apply only specific file formats

html-frameThe HTML file contains one or more IFRAME tags
html-formThe HTML file contains one or more FORM tags
html-inputThe HTML file contains one or more INPUT tags
html-passwordThe HTML file contains one or more tags with the “password” attribute
html-imageThe HTML file contains one or more IMAGE tags
html-canvasThe HTML file contains one or more CANVAS tags
html-objectThe HTML file contains any of the following tags: APPLET, AUDIO, EMBED, OBJECT, SOURCE, VIDEO
html-downloadThe HTML file contains one or more links with the “download” attribute
html-local-linkThe HTML file contains one or more links to local files
html-trackingThe HTML file contains one or more tracking pixels
html-popupThe HTML file contains an A tag with target=”_blank” attribute
html-wsffileThe HTML file contains an A tag with href=”jsffile:…” or href=”wsffile:…” or href=”wsfhile:…”
font-embeddedThe HTML file contains embedded fonts
deceptive-linkThe HTML file contains potentially deceptive links
platform-unixThe quarantine file was created by a security solution running on a UNIX-like operating system
platform-windowsThe quarantine file was created by a security solution running on the Microsoft Windows operating system
quarantine-manualThe quarantine file was added to the quarantine manually by a user, not as a result of an automatic detection by the security solution
quarantine-malicious-contentThe quarantine file contains any number of remediated malicious content associated with a detected threat
quarantine-threat-metadataThe quarantine file contains metadata describing the antivirus specific threat which triggered the remediation
version-control-artifactThe file is part of a control structure for a version control repository (e.g. an index or revision data)