Report Format ll-doc

This analysis report format refers to a static analysis run of a Microsoft Office document, Flash file or archive.

In addition to the report fields shared by all report formats (see Analysis Report Format) the report contains a number of different fields with details specific to the analysis run.

Reports may include fields not described here: they are to be considered as experimental or deprecated and SHOULD be ignored.

Report contents

  • analysis_subject: (optional).

    Type: Dictionary.

    • document_name.

      Type: String.

      Name of the document that was analyzed.

    • file_size.

      Type: Integer.

      Size of the document (bytes).

    • md5.

      Type: String.

      md5 hash of the document.

    • sha1.

      Type: String.

      sha1 hash of the document.

  • analysis_metadata: (optional).

    Type: List of analysis metadata; see Document Metadata Format.

    Document metadata extracted during analysis.

  • anomalies: (optional).

    Type: List of dictionaries.

    Anomalies detected in document script code.

    • description.

      Type: String.

      Example: “Evasion: VBA source code may have been altered”

      Description of the detected anomaly.

    • location.

      Type: String.

      Example: “1f8fd8b6060284d5c47e26ec1021dd834af9b4655d289/Macros/VBA/NewMacros”

      Location of the anomaly within the document.

  • macros: (optional).

    Type: List of dictionaries.

    Macros embedded in the document.

    • macro.

      Type: String.

      Macro code.

    • full_stream_path.

      Type: String.

      Location of the macro within the document.

  • streams: (optional).

    Type: List of dictionaries.

    Streams embedded in the document.

    • full_stream_path:

      Type: String.

      Location of the stream within the document.

    • child_streams:

      Type: List of strings.

      Locations of children of the stream within the document.

    • md5: (optional).

      Type: Hexadecimal string.

      A md5 hash of a file content.

    • sha1: (optional).

      Type: Hexadecimal string.

      A sha1 hash of a file content.

    • sha256: (optional).

      Type: String.

      sha256 hash of the analysis subject.

    • file_info: (optional).

      Type: String.

      Example: “MS Windows shortcut”.

      A text description of stream type.

    • file_size: (optional).

      Type: Integer.

      A stream size in bytes.

    • mime: (optional).

      Type: String.

      MIME type of stream.

    • clsid: (optional).

      Type: String.

      Globally unique identifier for embedded (OLE) stream object.

Document Metadata Format

During the analysis run, the analysis engine extracts document metadata. This type extends the Analysis Metadata Format type.

Metadata contents

  • name: (optional).

    Type: String.

    Name given to the metadata.

  • filename: (optional).

    Type: String.

    Example: “desktop.ini”.

    A file name. Could be absolute or relative path. Applies to metadata_type “extracted_file”.

  • abs_path: (optional).

    Type: String.

    Example: “C:\Users\desktop.ini”.

    An absolute path the file. Applies to metadata_type “extracted_file”.