Report Format ll-flash

This analysis report format refers to a dynamic analysis run of a Flash file.

In addition to the report fields shared by all report formats (see Analysis Report Format) the report contains a number of different fields with details specific to the analysis run.

Reports may include fields not described here: they are to be considered as experimental or deprecated and SHOULD be ignored.

Report contents

  • callgraph.

    Type: List of function call information; see Callgraph Format.

    A list of ActionScript function calls that were observed during the analysis.

  • exploits.

    Type: List of exploited vulnerabilities. See Exploits Format for details.

    A list describing each vulnerability that was was found to be exploited during the analysis.

  • generated_swfs.

    Type: List of generated Flash files. See Flash File Format for details.

    A list describing any Flash file that was dynamically generated during the analysis.

  • strings.

    Type: List of strings. See String Format for details.

    A list containing the strings observed during the analysis.

  • subject

    Type: Dictionary describing the analysis subject. See Flash File Format for details.

Callgraph Format

A callgraph representing relationships between functions. The callgraph is recorded dynamically.

  • args.

    Type: List of function arguments. See Function Arguments and Return Value Format for details.

    The list of arguments that were passed to the current function.

  • callees.

    Type: List of callees for the current function. See Callgraph Format for details.

    The list of function calls called from the current function.

  • depth.

    Type: Integer.

    Example: 1

    The depth in the callgraph.

  • name.

    Type: String.

    Example: “re52142333723350123423632234/re52142319223205123423632234”

    The name of the function.

  • ret.

    Type: Return value or null. See Function Arguments and Return Value Format for details.

    Example: null

    The return value of the function.

  • this.

    Type: String.

    Example: “0xfd20e80”

    The address of the “this” object, in hexadecimal format.

Function Arguments and Return Value Format

A value passed as argument to a function or returned from a function.

  • typename.

    Type: String.

    Example: “int”

    The type of the argument or return value.

  • value.

    Type: String.

    Example: “0x8”

    The argument/return value.

Exploits Format

A vulnerability that was exploited during the analysis.

  • desc.

    Type: String.

    Example: “Buffer overflow in Flash Player via Blender data”

    The vulnerability being exploited.

  • vendor

    Type: String.

    Example: “Adobe”

    The vendor whose software contains the vulnerability.

  • vulnerability_id

    Type: String.

    Example: “CVE-2014-0515”

    The public vulnerability ID, such as its CVE number.

  • vulnerability_url

    Type: String.

    Example: “https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0515

    A URL where more information about the vulnerability can be found.

Flash File Format

Information about a Flash file, either the original analysis subject or a Flash file that was dynamically generated during the analysis.

  • md5.

    Type: hexadecimal string.

    Example: 941f85f0ce9162a9b9531131b458c267

    MD5 hash of the input file.

  • sha1.

    Type: hexadecimal string.

    Example: c511db6ae526e9ff2df60b2dba43dea1f8cdd591

    SHA1 hash of the input file.

  • sha256.

    Type: hexadecimal string.

    Example: a820bb75a2d6fb069af2afc762ca6e30ab8c8b4d690ff880ed3a0a7b9bad36be

    SHA256 hash of the input file.

  • compression.

    Type: String.

    Example: “zlib”

    The compression type used by the input file.

  • filename.

    Type: String.

    Example: “941f85f0ce9162a9b9531131b458c267.swf”

    The filename used during the submission.

  • frame_count.

    Type: Integer.

    Example: 1

    The total number of frames in the Flash video.

  • num_tags.

    Type: Integer.

    Example: 12

    The number of tags in the Flash file.

  • size.

    Type: Integer.

    Example: 29773

    The number of bytes in the file.

  • tags.

    Type: List of tags. See Tag Format for details.

    The list of tags that compose the file.

  • version.

    Type: Integer.

    Example: 31

    The Flash file version.

Strings Format

A string found during the Flash file execution.

  • value.

    Type: String.

    Example: “11,1,102,62”

    The string value.

Tag Format

A tag in the Flash file. See the Flash file format specification for details.

  • name.

    Type: String.

    Example: “FileAttributes”

    The name of the tag.

  • tagtype.

    Type: int.

    Example: 69

    The tag ID.

Additional fields will be available, depending on the specific tag type.