Report Format ll-static

This analysis report format refers to a static analysis run of a PE or Mach-O executable file.

In addition to the report fields shared by all report formats (see Analysis Report Format) the report contains a number of different fields with details specific to the analysis run.

Reports may include fields not described here: they are to be considered as experimental or deprecated and SHOULD be ignored.

Report contents

  • analysis.

    Type: Dictionary.

    • file_information.

      Type: Dictionary.

      Basic information about the file contents.

      • md5.

        Type: String.

        md5 hash of analysis subject.

      • sha1.

        Type: String.

        sha1 hash of analysis subject.

      • sha256.

        Type: String.

        sha256 hash of the analysis subject.

      • size.

        Type: Integer.

        The analysis subject size (bytes).

      • ssdeep.

        Type: String.

        ssdeep fuzzy hash of the analysis subject. eg: “1536:6UqqX4VONpYqNo+5DCGVM2/gXagwJm3rQcG/K:6UqqoVO/YqNf5DlVM2/gBwMrQf”

      • magic.

        Type: String.

        analysis subject magic description. eg: “Mach-O executable bundle”

    • exif.

      Type: Dictionary with Exiftool tag information; see ExifTool EXE tag format for details.

      Exiftool EXE tag information.

    • authenticode.

      Type: Dictionary.

      Authenticode signature information for analysis subject.

      • authentihash

        Type: String.

        Authentihash for analysis subject.

    • pefile.

      Type: Dictionary.

      Dictionary of information specific for PE files.

      • exports.

        Type: List of PE symbol exports; see PE Export format for details.

        List of the symbols exported by the PE file.

      • imports.

        Type: List of symbol imports; see PE Import format for details.

        List of the symbols imported by the PE file.

      • file_version_properties.

        Type: Dictionary; see File Version Properties format for details.

        Information from the PE file version information resource

      • header.

        Type: Dictionary; see PE Header format for details.

        PE header information.

      • sections.

        Type: List of sections in PE file; see PE Section format for details.

        List of sections in PE file.

      • resources.

        Type: Dictionary; see PE Resources format for details.

        Resources contained in PE file.

      • debug_details:

        Type: Dictionary; see PE Debug Details format. for details.

        Debug information about PE file.

      • imphash.

        Type: String.

        Import hash of PE file.

ExifTool EXE tag format

Dictionary with information on the EXE file from Exiftool. More information on these tags is available at https://www.sno.phy.queensu.ca/~phil/exiftool/TagNames/EXE.html. Not all analysis subjects will contain all tags.

  • file_type.

    Type: String.

    The type of the file analysis subject.

  • file_type_extension.

    Type: String.

    The File extension for the analysis subject.

  • mime_type.

    Type: String.

    MIME type for analysis subject.

  • machine_type.

    Type: String.

    CPU type for analysis subject.

  • timestamp.

    Type: String.

    File creation timestamp for analysis subject.

  • image_file_characteristics.

    Type: String.

    Bitwise characteristics flags for image file (hexadecimal).

  • pe_type.

    Type: String.

    Specific PE type.

  • linker_version.

    Type: String.

    Linker version.

  • code_size.

    Type: Integer.

    Size of source code.

  • initialized_data_size.

    Type: Integer.

    Size of initialized data.

  • unitialized_data_size.

    Type: Integer.

    Size of uninitialized data.

  • entry_point.

    Type: String.

    Entrypoint (hexadecimal) address.

  • os_version.

    Type: String.

    OS Version.

  • image_version.

    Type: String.

    Image Version.

  • subsystem_version.

    Type: String.

    Subsystem Version.

  • subsystem.

    Type: String.

    Name of Subsystem.

  • file_version_number.

    Type: String.

    File Version.

  • product_version_number.

    Type: String.

    Product Version.

  • file_flags_mask.

    Type: String.

    Mask to apply to file flags (hexadecimal).

  • file_flags.

    Type: String.

    File Flags.

  • file_os.

    Type: String.

    Name of OS.

  • object_file_type.

    Type: String.

    Type of object file.

  • file_subtype.

    Type: Integer.

    Subtype of file.

  • build_date.

    Type: String.

    Date of build.

  • build_version.

    Type: String.

    Version of build.

  • character_set.

    Type: String.

    File character set.

  • comments.

    Type: String.

    Comment from PE resource string.

  • company_name.

    Type: String.

    Company name from PE resource string.

  • copyright.

    Type: String.

    Copyright message from PE resource string.

  • file_description.

    Type: String.

    File description from PE resource string.

  • file_version.

    Type: String.

    File version from PE resource string.

  • internal_name.

    Type: String.

    Internal name from PE resource string.

  • language_code.

    Type: String.

    Language code from PE resource string.

  • legal_copyright.

    Type: String.

    Legal copyright from PE resource string.

  • legal_trademarks.

    Type: String.

    Legal trademarks from PE resource string.

  • original_filename.

    Type: String.

    Original filename from PE resource string.

  • private_build.

    Type: String.

    Private build information from PE resource string.

  • product_name.

    Type: String.

    Product name from PE resource string.

  • product_version.

    Type: String.

    Product version from PE resource string.

  • special_build.

    Type: String.

    Special build info from PE resource string.

  • cpu_architecture.

    Type: String.

    CPU Architecture for MachO files.

  • cpu_byte_order.

    Type: String.

    CPU byte order for MachO files.

  • cpu_count.

    Type: String.

    CPU count for MachO files.

  • cpu_type.

    Type: String.

    CPU Type for MachO files (eg: ‘x86’).

  • cpu_sub_type.

    Type: String.

    CPU SubType for MachO files (eg: ‘i386’).

  • object_flags.

    Type: String.

    Object Flags for MachO files.

File Version Properties format

Dictionary of information from the PE file version information resource

  • copyright.

    Type: String.

    PE copyright information

  • *version.

    Type: String.

    PE version information

  • internal_name.

    Type: String.

    PE internal filename.

  • original_filename.

    Type: String.

    PE original filename.

PE Header format

Dictionary of PE header information.

  • compilation_timestamp.

    Type: String.

    Date/time of PE compilation.

  • number_of_sections.

    Type: Integer.

    Number of sections in PE file.

  • target_machine.

    Type: String.

    Target CPU type of PE file.

  • entry_point_address.

    Type: String.

    Entry point of PE file (hexadecimal).

PE Resources format

Dictionary of resources contained in PE file.

PE Import format

Dictionary of information about symbols imported by this PE file.

  • functions.

    Type: List of imported functions; see PE Function format for details.

    List of the functions imported by this PE file.

  • dll_name.

    Type: String.

    Name of the imported dll.

PE Function format

Dictionary of information about a function imported by this PE file.

  • name.

    Type: String.

    Name of the function.

PE Export format

Dictionary of information about symbols exported by this PE file.

  • ordinal.

    Type: Integer.

    PE symbol export ordinal index.

  • virtual_address.

    Type: Integer.

    The virtual address of the exported entry point.

  • name.

    Type: String.

    Name of the exported symbol.

PE Section format

Dictionary of information about the sections in the PE file.

  • name.

    Type: String.

    Name of the section.

  • virtual_address:

    Type: String.

    virtual address of this section (hexadecimal).

  • entropy:

    Type: Floating-point number.

    entropy of the section.

  • raw_size:

    Type: String.

    Actual size of the section (hexadecimal).

  • virtual_size

    Type: String.

    Virtual size of the section (hexadecimal).

  • md5.

    Type: String.

    md5 of the section.

PE Resource format.

Dictionary of information about a PE resource.

  • sha256.

    Type: String.

    sha256 hash of resource.

  • file_type.

    Type: String.

    File type of resource (eg: ‘data’ or ‘ASCII text’).

  • type.

    Type: String.

    Type of resource (eg: ‘RT_ICON’ or ‘RT_MANIFEST’).

  • language.

    Type: String.

    Language for resource.

PE Resource By Language format.

Dictionary of counts for resources by language.

  • count.

    Type: Integer.

    Number of resources in nominated language.

  • language.

    Type: String.

    Language of resource.

PE Resource By Type format.

Dictionary of counts for resources by resource type.

  • count.

    Type: Integer.

    Number of resources in nominated type.

  • type.

    Type: String.

    Type of resource (eg: ‘RT_ICON’ or ‘RT_MANIFEST’).

PE Debug Details format.

Debug information about PE file

  • pdb_path.

    Type: String.

    Path to PDB debug file.

  • guid.

    Type: String.

    GUID from PDB debug file.