Spectra Detect Report Schema

Introduction​

This document describes data in the report of the analysis performed by a Spectra Detect Worker.

Notable changes​

The format of the report has changed since the last version of this document (v1.6):

• The classification field now contains rca_factor, a unique measure of the trustworthiness of a sample (read more in Classification).
• The classification field also contains a result, which provides the threat name.
• Results by individual scanners may be ignored.
• Attack indicators now have descriptions, categories, relevance, and a unique numeric ID.
• The interesting_strings and story sections have additional fields.
• There is more information for analyzed PE files, including a security_grade.
• The metadata section has been reorganized (read the full list of metadata changes in Appendix D):
  • redesigned security, media and browser fields
  • added signatures, certificates, package, attack and malware fields
  • removed certificate field

Data Analysis Workflow​

1. Check the file threat score and classification in the Classification section:

• classification
  • 0: Unknown
  • 1: Goodware
  • 2: Suspicious
  • 3: Malicious
• rca_factor (if classification is not 0) is the trust or threat level, ranging from 0 to 10:
  • 0 represents highest trust
  • 10 represents most dangerous threat
• result shows the threat name (only visible if the analyzed file is a threat)

2. Analyze interesting strings and strings section

• Check URL and IP address information if present

3. Check the file itself

• File name
• File format (type, sub-type, format/packer)

4. Check the Tags section

• File type in conjunction with Tag can flag a file with potentially malicious intent
• Interesting tags:
  • anonymous-email
  • cert-expired
  • cert-invalid
  • cert-revoked-...
  • cert-untrusted
  • cert-self-signed
  • starts with contains-
  • cryptocurrency
  • starts with ransomware-
  • starts with uri-
  • starts with av-
  • data-exfiltration
  • file-download
  • ftp-use
  • starts with privacy-
  • backdoor
  • c2
  • custom-packed
  • downloader
  • keylogger
  • pos
  • ransomware
  • anti...
  • cert-blacklisted
  • starts with capability-
  • starts with indicator-
  • starts with email-
  • deceptive-link
• PDF files
• check Tags starting with indicator- and capability- to see if the PDF file can execute files or download files
• Microsoft Office files
• Check whether VBA Scripts/Macros present and exhibit suspicious indicators - see tags such as indicator-macro and starting with indicator- and capability-

5. Check extracted file statistics

• High entropy value (maximum is 8) can be a sign of obfuscation

6. Microsoft .NET files

• Check called functions

7. JAVA dex files

• Check called functions

8. Adobe Flash files

• Check called ActionScript functions

9. Check YARA matches if any

• YARA section

10. Check file certificate

• Check certificate section whether certificate is valid

11. Check file validation

• Check validation section to see if the file is malformed, or if the file certificate is blacklisted

12. Check who compiled the file and when, sometimes that reveals interesting information

• PDB Path section
• Debug symbols link in the compiled file, can contain information of the machine that compiled the malware
• Compile Date
• Look at the Signer section

13. Check whether file is similar to other files of the same status (MALICIOUS/SUSPICIOUS)

• Use RHA statistics section

14. Windows executables

• Check PE VS_Info section
• Check if the file content is protected
  • PE Protection section
• Check the content in taggant section

Basic Data Types​

Reports received from Spectra Detect Worker will have fields with the following data types:

Other data types (enum, list, struct, struct-list) link to their own sections where their components are listed in terms of basic data types.

Spectra Detect Report​

The root of the report contains the following fields:

Analysis​

In the tc_report field of a Spectra Detect report, the following fields are possible:

Classification​

The key information here is the classification field, which will be a number from 0 to 3:

Other fields provide more info:

Scanner result​

Different scanners have their own individual classifications, which are then used as components to form the final classification. See the next section for an overview of used scanners.

Spectra Core Classification Scanners​

YARA​

YARA string​

YARA string match​

Relationships​

If this section is enabled in the report service, it lists all children files (and their children files) of the analyzed file.

The full analysis report includes additional parent/child metadata in the form of index numbers starting with 0 and ending with N, where 0 indicates the starting ("root" parent) file, and N the last extracted child file.

If you notice any of the documents embedded in MS DOC, RTF or PDF files of the types documented in Appendix A: Suspicious Embedded File Types there is a reasonable possibility that the original, parent file has malicious intent.

Info​

Statistics​

file_stats_item​

file_stats_item_identification​

File​

Some archive files (containers) preserve file modification dates, which are propagated down to their children files (contained files). This metadata is stored in the file_properties section.

Identification​

Binary Layer​

binary_layer_type (enum)​

• unknown
• resource
• section
• overlay
• stego

Validation​

Validation Result​

validation_description (enum)​

• bad_checksum
• bad_signature
• invalid_certificate
• expired_certificate
• blacklisted_certificate
• whitelisted_certificate
• malformed_certificate
• self_signed_certificate
• impersonation_attempt
• untrusted_certificate
• revoked_certificate
• revoked_certificate_unspecified
• revoked_certificate_key_compromise
• revoked_certificate_ca_compromise
• revoked_certificate_affiliation_changed
• revoked_certificate_superseded
• revoked_certificate_cessation_of_operation
• revoked_certificate_hold
• revoked_certificate_remove_from_crl
• revoked_certificate_privilege_withdrawn
• revoked_certificate_aa_compromise
• signed_after_revocation
• bad_certificate_timestamp
• security_catalog
• signed_after_expiration

scanner_type (enum)​

• generic
• av
• sandbox
• validator
• unpacker
• internal
• cloud
• user_override
• certificate
• whitelisting
• analyst_override
• ng_av

Unpacking​

unpacking_status (enum)​

• unknown
• failed
• success
• partial

Overlay​

overlay_from (enum)​

• pe
• pe_security_directory
• archive
• binary
• container
• document
• scripts
• text
• video
• image

Metadata​

This section contains the information about a sample extracted from static analysis. The information that is retrieved depends on the sample type, so some sections will not contain any data if they are inapplicable to the sample type.

Application (Metadata)​

The capabilities provide a brief overview of actions that a sample is capable of performing by outlining its basic features. Capabilities are expressed as a bit array (several capabilities can be expressed with one number code), and the name of each bit is provided.

Capabilities bit array for PE files

These are named and expressed in terms of bits as well (bitwise operations), with an additional clarification for what each bit represents.

• none_k = 0,
• clipboard_k = 1 << 0, whether app has capability for managing the clipboard
• ipc_k = 1 << 1, whether app has capability for inter-process communication
• threads_k = 1 << 2, whether app has capability for using and managing threads
• processes_k = 1 << 3, whether app has capability for using and managing processes
• storage_k = 1 << 4, whether app has capability for managing storage devices or volumes
• filesystem_k = 1 << 5, whether app has capability for managing files or folders
• peripherals_k = 1 << 6, whether app has capability for managing peripheral hardware devices
• user_input_k = 1 << 7, whether app has capability for receiving user input
• hardware_interfaces_k = 1 << 8, whether app has capability for managing hardware interfaces, ports or buses
• networking_k = 1 << 9, whether app has capability for network communication
• cryptography_k = 1 << 10, whether app has capability for cryptographic operations
• security_k = 1 << 11, whether app has capability for managing security contexts
• system_k = 1 << 12, whether app has capability for accessing operating system facilities
• modules_k = 1 << 13, whether app has capability for using additional modules
• memory_management_k = 1 << 14, whether app has capability for requesting and managing memory
• user_interface_k = 1 << 15, whether app has capability for managing the user interface
• command_line_k = 1 << 16, whether app has capability for using command line interface
• time_and_date_k = 1 << 17, whether app has capability for managing time information or timers
• identity_k = 1 << 18, whether app has capability for user identity management
• monitoring_k = 1 << 19, whether app has capability for system status monitoring
• configuration_k = 1 << 20, whether app has capability for managing system settings or configurations
• compression_k = 1 << 21, whether app has capability for compressing or extracting data
• multimedia_k = 1 << 22, whether app has capability for graphics, animation, audio or video
• deprecated_k = 1 << 23, whether app has capability for using deprecated functionality
• undocumented_k = 1 << 24, whether app has capability for using undocumented functionality
• application_management_k = 1 << 25, whether app has capability for managing applications
• service_management_k = 1 << 26, whether app has capability for managing services
• messaging_k = 1 << 27, whether app has capability for sending messages
• protection_k = 1 << 28, whether app has capability for securing the execution environment
• drivers_k = 1 << 29, whether app has capability for managing drivers or kernel modules

PE​

Analysis​

Issue​

DOS header​

Rich header​

Entry​

File header​

Optional header​

Data directory​

PE section​

Import​

Export​

Resource​

Codeview​

Taggant​

Packer info​

ELF​

Program header​

ELF section​

ELF Symbol​

Dynamic table​

Macho​

Segment​

Macho section​

Macho Symbol​

Dex​

Dex Class​

Annotation​

Attribute

Method​

Parameter

Field (Dex)​

Dotnet​

.NET Method​

Pinvoke info​

Parameter​

Assembly​

Type​

Field​

Event​

Properties​

.NET Resource​

Exported type​

Identity​

identity_type (enum)​

• ad
• social
• other
• graphics
• audio
• cloud
• messaging
• compression
• analytics
• database
• crypto
• utility
• multimedia
• networking
• browser
• security
• virtualization
• development
• productivity
• email
• gaming
• entertainment
• educational
• driver
• package

Verification (enum)​

• not_verified
• sha256_hash
• authentihash
• certificate
• cloud_source

Protection​

Security​

Vulnerability​

CVSS​

Access​

access_type (enum)​

• user
• group
• other
• unknown

Behaviour​

This section describes how a file would behave if executed. It lists values related to the registry, paths when executing, renaming or copying files, shortcuts that might be used, and more. This section will become available when analyzing PDFs, Docker files, as well as various installers.

Registry​

Values that the program sets in the Windows Registry.

Copy​

Rename​

Process start​

Shortcut​

Information on shortcuts related to a file. hotkey designates the keyboard shortcut used to start the program.

Remove​

Edit ini​

URI​

Information on a URI that a file is trying to connect to.

{"uri_string": "https://bad_domain.evil/malware/infection",
 "protocol": "https",
 "hostname": "bad_domain.evil",
 "port": "80",
 "path": "malware/infection",
 "ip_protocol": "TCP/IP"}

Signatures​

This section holds information about digital signatures and certificates found during the analysis.

Signature object​

Certificate object​

Among other outcomes, certificates can be whitelisted or blacklisted. The validation > results field holds the list of results related to the certificate of the analyzed file. Here are two examples, one of a whitelisted and one of a blacklisted certificate, leading to two different classifications (goodware/malicious).

Whitelisted certificate:

{
    common_name: "Microsoft Corporation",
    serial: "610f784d000000000003",
    thumbprint: "77d73fbbb0a3e91838d5ef1d145e37f025d9ba766604c9aeafd6b3222b252ca9"
}

Blacklisted certificate:

{
    common_name: "Elite Web Development Ltd.",
    serial: "6cfa5050c819c4acbb8fa75979688dff",
    thumbprint: "e7241394097402bf9e32c87cada4ba5e0d1e9923f028683713c2f339f6f59fa9"
}

Public key​

Example of an RSA public key detected in a file with a whitelisted certificate:

{
value: "3082010a0282010100a2db0a8dcfc2c1499bcdaa3a34ad23596bdb6cbe2122b794c8eaaebfc6d526c232118bbcda5d2cfb36561e152bae8f0ddd14a36e284c7f163f41ac8d40b146880dd98194ad9706d05744765ceaf1fc0ee27f74a333cb74e5efe361a17e03b745ffd53e12d5b0ca5e0dd07bf2b7130dfc606a2885758cb7adbc85e817b490bef516b6625ded11df3aee215b8baf8073c345e3958977609be7ad77c1378d33142f13db62c9ae1aa94f9867add420393071e08d6746e2c61cf40d5074412fe805246a216b49b092c4b239c742a56d5c184aab8fd78e833e780a47d8a4b28423c3e2f27b66b14a74bd26414b9c6114604e30c882f3d00b707cee554d77d2085576810203010001"
}

RSA key​

DSA key​

Elliptic Curve Key​

Extension​

Certificates​

A list of Certificate objects, defined in the Signatures section.

Document​

Similarly to the Application section, documents have a bit array describing their capabilities:

• none_k = 0,
• execution_k = 1 << 0, whether document has executable content
• scripting_k = 1 << 1, whether document uses JavaScript, VBA or similar scripting language
• multimedia_k = 1 << 2, whether document has video, has audio, uses webgl, canvas, svg
• user_input_k = 1 << 3, whether document has forms and user controls, drag and drop, pointer lock
• embeds_k = 1 << 4, whether document has objects / embeds, has frame / iframe, OLE
• messaging_k = 1 << 5, whether document has messaging capabilities (e.g. mailto, sendto...)
• networking_k = 1 << 6, whether document has networking capabilities (e.g. http, ajax, websockets, hrefs, clickable URL in documents, webrtc, redirect/refresh)
• storage_k = 1 << 7, whether document has storage capabilities (e.g. web storage, file api, offline storage)
• location_k = 1 << 8, whether document has location capabilities
• notifications_k = 1 << 9, whether the document has notification capabilities (e.g. pop-ups, windows notification API...)
• camera_k = 1 << 10, whether document has camera access
• microphone_k = 1 << 11, whether document has access to microphone
• bluetooth_k = 1 << 12, whether document has access to bluetooth
• peripherals_k = 1 << 13, whether document has access to peripherals (e.g. usb, midi)
• cryptography_k = 1 << 14, whether document has cryptography capabilities (e.g. password protected document / macro, password input fields in HTML...)
• advertising_k = 1 << 15, whether document has advertising capabilities
• social_k = 1 << 16, whether document has access to social networks (Facebook, Twitter, - specific to HTML / JS)
• services_k = 1 << 17, whether document has access to services
• memory_management_k = 1 << 18, whether document has access to memory management

HTML​

Resource (HTML)​

Link​

Form​

Mobile​

Capabilities, similarly as in the Application section, are expressed as a bit array. Check the integer from the report against the following descriptions:

In addition, mobile applications have the following bits set in case of a found capability:

• none_k = 0,
• messaging_k = 1 << 0, whether app has capability for sending messages
• calling_services_k = 1 << 1, whether app has access to calling services
• advertising_k = 1 << 2, whether app has capability for advertising
• gaming_k = 1 << 3, whether app has gaming component
• networking_k = 1 << 4, whether app has access to networking
• camera_k = 1 << 5, whether app has capability for using camera
• microphone_k = 1 << 6, whether app has capability for using microphone
• bluetooth_k = 1 << 7, whether app has capability for using bluetooth
• notifications_k = 1 << 8, whether app has capability for pushing notifications
• device_identity_k = 1 << 9, whether app has access to device id
• user_identity_k = 1 << 10, whether app has access to user id
• address_book_k = 1 << 11, whether app has access to users address book
• calendar_k = 1 << 12, whether app has access to users calendar
• location_services_k = 1 << 13, whether app has capability for defining location of device
• storage_k = 1 << 14, whether app has access to storage
• social_k = 1 << 15, whether app has social component
• system_k = 1 << 16, whether app has access to system
• motion_k = 1 << 17, whether app has capability for detecting motion and direction (accelerometer, magnetometer...)
• wallet_k = 1 << 18, whether app has access to users wallet
• vpn_k = 1 << 19, whether app has capability for vpn
• nfc_k = 1 << 20, whether app has capability for nfc
• peripheral_devices_k = 1 << 21, whether app has access to peripheral devices

Android​

Application (Android)​

Activity​

Intent

Service​

Provider​

Receiver​

iOS​

Download info​

Application bundle​

Windows Phone​

Windows Store Package​

Application​

Extension (Application)​

Media​

Image​

Exif​

Exif value​

Video​

Audio tracks​

Audio​

ID3​

Browser​

browser_type (enum)​

• none
• chrome
• opera
• firefox
• edge

Permission​

Script​

URL rule​

Action​

Email​

Message​

Mailbox​

Header​

Contact​

Address​

Task​

Appointment​

Software package​

package_type (enum)​

• unknown
• source
• binary

Platform​

Software package dependency​

MITRE ATT&CK Framework​

The behavior of malicious files can be expressed in terms of their actions. The MITRE ATT&CK framework defines the format and taxonomy used to describe threats. Here's an example of a malicious file's attack field.

"attack": [
   {
      "matrix":"Enterprise",
      "tactics":[
         {
            "id":"TA0007",
            "name":"Discovery",
            "description":"The adversary is trying to figure out your environment.",
            "techniques":[
               {
                  "id":"T1082",
                  "name":"System Information Discovery",
                  "description":"An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.",
                  "indicators":[
                     {
                        "priority":4,
                        "category":13,
                        "id":149,
                        "relevance":1,
                        "description":"Enumerates system information."
                     }
                  ]
               }
            ]
         }
      ]
   }
]

Tactic​

Technique​

Malware Configuration​

Provides Command-and-Control server information and other detection strings and patterns.

Server​

Strings​

Indicator​

Indicators describe sample behavior and indicate what the sample is capable of based on the results of static analysis. They are human readable descriptions of object intent. Because of that, they simplify the code analysis process by converting complex code patterns into descriptions of their behavior. Simply put, they make it possible to describe the file behavior through descriptions like "Downloads a file", "Encrypts or encodes data in memory using Windows API", "Enumerates currently available disk drives", etc.

Indicator categories​

0 - network - The file has network-related indicators (e.g. downloads a file, tampering with DNS settings)

1 - evasion - The file tries to evade common debuggers, sandboxes or analysis tools (e.g. VM environment detection)

2 - stealth - The file tries to hide its presence (e.g. tampers with window transparency settings, tampers with firewall settings)

3 - autostart - The file tampers with autostart settings (e.g. tampers with autorun locations)

4 - memory - The file tampers with memory of foreign processes (e.g. does process injection)

5 - document - The file exhibits unusual activities when handling documents (e.g. PDF that creates new documents)

6 - anomaly - The file contains unusual characteristics (e.g. contains known whitelisted executable filenames)

7 - monitor - The file has the ability to monitor host activities (e.g. accesses a list of logged on users)

8 - disable - The file disables system services (e.g. tampers with Windows Update)

9 - registry - The file accesses registry and configuration files in an unusual way (e.g. tampers with Windows registry settings)

10 - execution - The file creates other processes or starts other applications (e.g. creates a service, installs system drivers)

11 - permissions - The file tampers with or request additional permissions for execution (e.g. tampers with user/account privileges)

12 - search - The file enumerates or collects information from a system (e.g. enumerates network shares or mounted drives)

13 - settings - The file accesses or tampers with system settings (e.g. enumerates system information)

14 - macro - The file contains or executes macro functions or scripts (e.g. contains UNIX shell scripts, executes actions associated with bookmarks)

15 - flow - The file leaks sensitive information to external hosts or creates new files with sensitive data (e.g. exports PDF form fields to files)

16 - behavior - The file automatically executes activities as a user (e.g. changes username or password, prints a document)

17 - signature - The file matches a known signature (e.g. contains known compression libraries, HTTP header fields)

18 - steal - The file steals and leaks sensitive information (e.g. accesses Outlook account information and address book)

19 - family - The file is associated with known malicious families

20 - packer - The file contains obfuscated or encrypted code or data (e.g. base64 encoded streams)

21 - exploit - The file contains known exploits against the system

22 - file - The file accesses other files on the filesystem in an unusual way (e.g. creates a cryptographic hash of file contents)

23 - payload - The file extracts and launches new behavior in an unusual way (e.g. injects CSS into a page)

Reason​

Interesting Strings​

These are strings found within a file, such as IP addresses.

Story​

The story section contains a summarized natural language description of the file's behavior and properties.

Story argument​

Story argument type (enum)​

• external_link
• internal_link
• search_query

Tags​

This is an array of numeric values, each with a corresponding meaning (string). When Spectra Core analyzes a file, it automatically tags it with all applicable tags. See the full list of tags in Appendix C.

Index​

An int32, specifying the position within the originally requested report. Index 0 means the parent file (the one originally analyzed), and each subsequent index denotes a child file.

Children​

An array of int32, with each value corresponding to an index value of a direct descendant.

Parent​

An int32, specifying to the index of the immediate parent.

Common Objects​

Property​

Pair​

network_reputation​

Appendix A: Suspicious Embedded File Types​

Binary/None/PythonPYC

DEX/Exe

DEX/None

ELF32 Big/Core

ELF32 Big/Exe

ELF32 Big/None

ELF32 Big/Relocatable

ELF32 Big/SO

ELF32 Little/Core

ELF32 Little/Exe

ELF32 Little/None

ELF32 Little/Relocatable

ELF32 Little/SO

ELF64 Big/Core

ELF64 Big/Exe

ELF64 Big/None

ELF64 Big/Relocatable

ELF64 Big/SO

ELF64 Little/Core

ELF64 Little/Exe

ELF64 Little/None

ELF64 Little/Relocatable

ELF64 Little/SO

MZ/DOS

MZ/None

MZ/Relocatable

MachO32 Big/Bundle

MachO32 Big/Core

MachO32 Big/Exe

MachO32 Big/None

MachO32 Big/Relocatable

MachO32 Big/SO

MachO32 Little/Bundle

MachO32 Little/Core

MachO32 Little/Exe

MachO32 Little/None

MachO32 Little/Relocatable

MachO32 Little/SO

MachO64 Big/Bundle

MachO64 Big/Core

MachO64 Big/Exe

MachO64 Big/None

MachO64 Big/Relocatable

MachO64 Big/SO

MachO64 Little/Bundle

MachO64 Little/Core

MachO64 Little/Exe

MachO64 Little/None

MachO64 Little/Relocatable

MachO64 Little/SO

ODEX/Exe

ODEX/None

PE+/.Net Dll

PE+/.Net Exe

PE+/Dll

PE+/Exe

PE+/None

PE+/VXD

PE/.Net Dll

PE/.Net Exe

PE/Dll

PE/Exe

PE/None

PE/VXD

PE16/Dll

PE16/Exe

PE16/None

Text/Acrobat JavaScript

Text/ActionScript

Text/Batch

Text/CMake

Text/CoffeeScript

Text/JavaScript

Text/Makefile

Text/NodeJS

Text/PHP

Text/Perl

Text/Perl6

Text/PowerShell

Text/Python

Text/Ruby

Text/Shell

Text/TypeScript

Text/VBA

Text/Visual Basic

Video/None/SWF

Video/None/DOSWF

Appendix B: Splunk Format Changes​

The format of data that is sent to Splunk differs in minor ways from the format that is specified in this document. The reason why data is changed before being sent to Splunk is to make it more suitable for indexing by Splunk. Reports sent to Splunk differ from the original in the following sections:

• if classification is 0 or 1, factor becomes confidence
• if classification is 2 or 3, factor becomes severity
• a string_status field is added with the overall classification (UNKNOWN, GOODWARE, SUSPICIOUS, MALICIOUS)
• scanner name becomes reason
• scanner result becomes threat

Appendix C: Spectra Core Tags​

Generic tags - can be applied to many file formats

Behavior tags - describe behavior of executables, documents, scripts, and mobile applications

Application-related tags - apply only to files with application metadata (PE, ELF, OSX, DEX, …)

Mobile-related tags - apply only to mobile applications

Malware tags - identify malware types and refer to other malware metadata

Packer tags - refer to packer-related metadata

Browser tags - refer to browser-related metadata

Classification tags - apply only to classified files

Capability tags - refer to capabilities of executables, documents, and mobile applications

Indicator tags - refer to indicators found in executables, documents, scripts, and mobile applications

An indicator tag will be emitted by Spectra Core only if the priority of a particular indicator is not low (i.e. priority > 3).

String tags - related to Spectra Core interesting strings

Compression and crypto tags - related to identified compression and crypto content

Email specific tags - related to email content

Format specific tags - apply only specific file formats

Appendix D: Metadata Changes​

This lists all metadata changes from Spectra Detect 1.x- to 2.x+, as well as changes from Spectra Analyze 5.x- to 6.x+.

analysis​

The report object is now nested inside the analysis object. This new root object combines the analysis report with the metadata describing the analysis and its results. Analysis reports relate to each other by id and parent_id, making it easy to construct relationships between analyzed objects.

analysis.report​

The story object has been redesigned to be able to split the automated static analysis description into paragraphs. Other members have had their members changed to allow for analysis feature expansions.

analysis.report.info​

The package object has been deprecated and replaced by properties to track general information. Malware configuration, previously found within the package object, has been moved to a dedicated metadata object. Other general information will continue to be reported via the properties key-value list.

analysis.report.info.file​

The properties object has been deprecated. File access, creation and modification time have been made more prominent within the file object. File attributes and access rights have been standardized and moved to the security object.

analysis.report.info.validation​

The validation object has been redesigned to follow the scanner-based logic established in the classification object. Multiple validation scanners parse the file and report their findings. The entire file is considered valid only if all applicable scanners confirm its validity. Any malformations, or format specification deviations, are reported through scanner descriptions and warnings.

analysis.report.classification​

The classification object has been extended to better promote the final classification result. Users previously had to look at the first scanner result to retrieve the final detection string. The existing classification object members already describe other classification properties and its impact.

analysis.report.classification.scan_results.entry​

The scan_results entry has been extended to indicate if the scanner was taken into account during classification, or ignored due to Spectra Core configuration.

analysis.report.classification.yara.match​

analysis.report.indicators.entry​

Spectra Core Explainable Machine Learning is based around explainability, transparency and relevancy. Static analysis indicators are considered explainable through their description. The entire system is transparent, as reasons behind indicator appearance are listed. Finally, factors that contribute to Machine Learning classification have been highlighted through indicator relevance.

analysis.report.strings.entry​

The list of strings has been converted to a list of properties that describe the string value, where it was found, number of its occurrences, and human readability.

analysis.report.interesting_strings.entry​

The list of interesting strings has been converted to a list of properties that describe the string value, where it was found, number of its occurrences, and classification. Interesting strings are checked against Spectra Core URL Classifier to detect blacklisted and misleading hyperlinks.