Report Format ll-web¶

This analysis report format refers to a dynamic analysis run of a web page or of a PDF document.

In addition to the report fields shared by all report formats (see Analysis Report Format) the report contains a number of different fields with details specific to the analysis run.

Reports may include fields not described here: they are to be considered as experimental or deprecated and SHOULD be ignored.

Report contents

analysis.

Type: Dictionary.

applets.

Type: Dictionary with applet information; see Applets Format for details.

A dictionary giving details about the contents of applets found during the analysis.

artifacts (deprecated).

Type: List.

This field is deprecated and should be ignored.

dropped_files.

Type: List of dropped files; see Files Dropped to Disk Format for details.

The list of files that were dropped to disk during the analysis.

evals.

Type: List of dynamically evaluated code; see Code Format for details.

A list with details about code that was dynamically evaluated during the analysis, via eval(), setTimeout(), or similar mechanisms.

exploits.

Type: List of exploited vulnerabilities; see Exploits Format for details.

A list describing each vulnerability that was was found to be exploited during the analysis.

hidden_elements.

Type: List of hidden HTML elements; see Hidden Element Format for details.

A list with details about hidden HTML elements that cause external resources to be fetched.

network.

Type: Dictionary describing the network activity that was recorded during the analysis.

requests:

Type: List of HTTP requests; see Request Format.

The list of HTTP requests and responses that were performed during the analysis.

new_functions.

Type: List of dynamically evaluated code; see Code Format for details.

A list with details about code that was dynamically evaluated during the analysis, via new Function() or similar mechanisms.

plugins.

Type: List of plugins; see Plugin Format.

The list of plugins and ActiveX controls that were loaded during the visit.

processes.

Type: List of processes that were unexpectedly spawned during the analysis; see Processes Unexpectedly Spawned during the Analysis Format.

resources.

Type: List of local resources that were accessed during the analysis; see Local Resource Format.

The list of local resources that were accessed using the res:// protocol during the analysis.

result.

Type: Dictionary.

A dictionary that provides additional information about the analysis results.

analysis_ended

Type: String

Example: “2013-10-03 11:36:42+0000”

Time when the analysis ended in the analysis (UTC timezone).

classification.

Type: String:

Deprecated: this field should be ignored in favor of the top-level score file; see Contents of response.

Example: “malicious”

detector.

Type: String

Example: “2.6”

The internal version of the URL and PDF analyzer.

explanation.

Type: String

Deprecated: this field should be ignored in favor of the top-level score file; see Contents of response.

Example: “exploits”

shellcodes.

Type: List of shellcodes; see Shellcode Format.

statics.

Type: List of code that was statically included in a visited page; see Code Format for details.

A list with details about code that was statically found during the analysis.

strings.

Type: List of strings that were found during the analysis; see String Format for details.

A list with details about interesting strings that were found during the analysis in the browser’s memory.

subject

Type: Dictionary describing the analysis subject.

md5.

Type: hexadecimal string.

Example: 6705f99eccedeac20e969bef954c5fb0

MD5 of the input file; not present in URL submissions

type.

Type either “file” or “url”

Example: “url”

url.

Type URL if the engine analyzed a URL submission; null otherwise.

text_from_documents.

Type: List of textual content extracted from PDF; see Textual Content Format.

urls_from_documents.

Type: List of links extracted from PDF; see Links Extracted from PDFs Format.

writes.

Type: List of code that was dynamically evaluated in a visited page, via document.write; see Code Format for details.

A list with details about code that was dynamically evaluated via document.write.

Exploits Format¶

A vulnerability that was exploited during the analysis.

exploit_id.

Type: String.

Example: “81”

The internal unique identifier for this vulnerability.

from_url.

Type: String.

Example: “http://evil.example.com/”.

The URL where the exploit for this vulnerability was found.

reference_id.

Type String.

Example: “CVE-2009-0927”

The public vulnerability ID, such as its CVE number.

reference_url.

Type: String.

Example: “http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0927”

A URL where more information about the vulnerability can be found.

Request Format¶

A request that was issued during the analysis.

content_md5.

Type: Hexadecimal string.

Example: 6705f99eccedeac20e969bef954c5fb0.

The MD5 hash of the response content.

content_sha1.

Type: Hexadecimal string.

Example: “c3499c2729730a7f807efb8676a92dcb6f8a3f8f”.

The SHA1 hash of the response content.

content_type.

Type: String.

Example: “application.octet-stream”.

The content type of the response.

ip.

Type: String.

Example: “192.0.2.1”.

The IP address of the contacted server; null if the domain name resolution failed.

parent_url.

Type: String.

Example: “http://example.com”.

The URL that caused the current URL to be fetched; the special value “USER_URL” is reserved for the first URL (which was submitted by the user).

relation_type.

Type: Integer.

Example: 1

Specifies the mechanism that caused the browser to fetch the content of the URL provided in the url field. It can be one of:

0 (IFRAME): through an HTML iframe tag

1 (SCRIPT_SRC): through an HTML script tag

2 (WINDOW_OPEN): by executing window.open in JavaScript

3 (FRAME): through an HTML frame tag

4 (REDIRECTION): via a redirection (e.g., a 302 response from the server)

5 (OTHER): any other method

6 (USER): direct user request

7 (AJAX): through an Ajax request

8 (PLUGIN): via plugin request

9 (IMAGE): through an img HTML tag

10 (JS): by changing the location in JavaScript (for example, location.setUrl, etc.)

11 (LINK): via an HTML link

12 (CSS): via some CSS construct

13 (REFRESH): by refreshing the page

relation_type_str.

Type: String.

Example: “USER”

Specifies the mechanism that caused the browser to fetch the content of the URL provided in the url field. In comparison to the relation_type field, the mechanism is specified as a human-friendly string, rather than as an integer.

status.

Type: Integer.

Example: 200

The HTTP status code provided by the server.

url.

Type: String.

Example: “http://www.example.com”.

The URL that was requested during the analysis.

Plugin Format¶

A plugin or ActiveX control that was loaded during the visit of a page.

attributes

Type: List list of attributes.

For each attribute, the report specifies:

name.

Type: String.

Example: “propDownloadUrl”.

The name of the attribute.

values.

Type: List of String.

Example: “http://www.example.com/evil.exe”.

The values assigned to this attribute.

classid.

Type: String.

Example: “C1B7E532-3ECB-4E9E-BB3A-2951FFE67C61”.

The plugin/ActiveX classid.

methods.

Type: List of methods calls

For each method, the report specifies:

calls.

Type: List of method calls. Each method call consists of a list of strings.

Example: “%45000f”

name.

Type: String.

Example: “Collab.getIcon”.

The name of the invoked method.

Shellcode Format¶

Shellcode extracted from memory during the analysis.

from_url.

Type: String.

Example: “http://evil.example.com/”.

The URL where the shellcode was found.

shellcode_ascii.

Type: String.

The shellcode as a printable ASCII string.

shellcode_base64.

Type: String.

The shellcode base64-encoded.

shellcode_hex.

Type: Hexadecimal string.

The shellcode as an hexadecimal string.

Textual Content Format¶

Textual content that has been extracted from PDF files.

doc_md5.

Type: Hexadecimal string.

Example: “c9d2242bb263603b80916fec27e9f2bb”.

The MD5 hash of the document from where the content was extracted.

doc_sha1.

Type: Hexadecimal string.

Example: “38a920093773c3e4a7d571f3cd6c5326cadbe5c2”.

The SHA1 hash of the document from where the content was extracted.

text.

Type: String.

Example: “This is a test PDF file”.

The actual text content extracted from the document.

Links Extracted from PDFs Format¶

Links that have been extracted from PDF files.

child_url_type.

Type: String.

Example: “url-in-pdf”.

The type of link that was extracted. Currently, the only value supported is “url-in-pdf”, which indicates that the link was extracted from a PDF document.

source_url.

Type: String.

Example: “file://ed1fd0c15690007009c4cadcbd677c01/”.

The URL of the document that contains the link.

task_uuid (optional).

Type: Hexadecimal string.

Example: 7065a3ba0c729ad5981a1e1072df710d.

Unique identifier for the analysis submission of the extracted file. This value can be used to obtain a report for the child task (see get_result()).

url.

Type: String.

Example: “http://example.com/”.

The link’s URL.

Processes Unexpectedly Spawned during the Analysis Format¶

Processes that have been spawned unexpectedly during the analysis and that are typically associated with exploitation activities.

command_line.

Type: String.

Example: “\c script.bat”

The command line that was executed.

application_name.

Type: String.

Example: “C:\Users\ExampleUser\AppData\Local\Temp\52E0.tmp”

The name of the application that was unexpectedly launched.

task_uuid (optional).

Type: Hexadecimal string.

Example: 7065a3ba0c729ad5981a1e1072df710d.

Unique identifier for the analysis submission of the extracted file. This value can be used to obtain a report for the child task (see get_result()).

Files Dropped to Disk Format¶

Files that have been saved to disk during the analysis.

filename.

Type: String.

Example: “C:\Users\Johnson\Downloads\nQ30”

The filename of the dropped file.

md5:

Type: Hexadecimal string.

Example: “e83bbd9d04cf15ee35a2911be221ae3b”.

The MD5 hash of the dropped file.

sha1:

Type: Hexadecimal string.

Example: “6cf755e7ada47b9bea97dadd65f6140ed1863ca2”.

The SHA1 hash of the dropped file.

task_uuid (optional).

Type: Hexadecimal string.

Example: 7065a3ba0c729ad5981a1e1072df710d.

Unique identifier for the analysis submission of the dropped file. This value can be used to obtain a report for the child task (see get_result()).

Code Format¶

Code evaluated during the analysis.

code.

Type: String.

Example: “alert(‘test’)”

The raw code content.

code_beautified.

Type: String

Example: “alert(‘test’)”

A beautified version of the raw code content; null, if it was not possible to beautify the original code.

codecluster_result.

Type: Object with the result of the code clustering; see Codecluster Format for details.

If the original code is found to be similar to one of the code clusters that we track, this field will contain more details about the matching cluster.

media_type.

Type: String.

Example: “application/javascript”.

The media type of the code.

source_url.

Type: String.

Example: “http://example.com”.

The URL of the resource that contains the code.

String Format¶

Strings found in the browser’s memory during the analysis.

source_url.

Type: String.

Example: “http://example.com”.

The URL of the resource being evaluated when the string was found.

str_len.

Type: Integer.

Example: 42.

The length of the string.

str_type.

Type: String.

Example: “s”.

The type of the string: “s” for a string that was statically found in the content of a visited resource; “d” for a string that was found while dynamically evaluating a visited resource.

value.

Type: String.

Example: “Test”.

The actual string value.

Local Resource Format¶

A local resource that was accessed via the res:// protocol.

category.

Type: String.

Example: “Debugging”.

The resource category.

path.

Type: String.

Example: “res://C:\Program Files (x86)\Fiddler2\Fiddler.exe/#3/#32512”

The resource path.

program.

Type: String.

Example: “Fiddler”.

The program containing the resource.

Hidden Element Format¶

A hidden element that causes external resources to be fetched.

element_type.

Type: String.

Example: “iframe”.

The element type, for example “iframe” or “frame”.

resource_url.

Type: String.

Example: “http://example.com”.

The URL fetched by the hidden element.

source_url.

Type: String.

Example: “http://example.com”.

The URL containing the hidden element.

tag.

Type: String.

Example: “<iframe class=”hidden” src=”http://example.com”></iframe>”.

The hidden element’s code.

Codecluster Format¶

Information about a code cluster match.

description.

Type: String.

Example: “Code redirecting to exploit kits”.

A description of the matching code cluster.

id.

Type: String.

Example: “ek_redirector”.

The ID of the matching code cluster.

score.

Type: Integer.

Example: 70.

The maliciousness score associated to the matching cluster.

Applets Format¶

Information about applets.

The dictionary contains a (key, value) pair for every applet found during the analysis. The key is file:// followed by the MD5 hash of the applet file. The value is a dictionary comprising the following fields:

contents.

Type: List of content details.

Details about individual applet contents.

content_type.

Type: String.

Example: “application/x-unknown-mime-type”.

The content type of the applet element.

length.

Type: Integer.

Example: 1024.

The length of the applet element.

md5.

Type: Hexadecimal string.

Example: “e83bbd9d04cf15ee35a2911be221ae3b”.

The MD5 hash of the applet element.

name.

Type: String.

Example: “META-INF/MANIFEST.MF”.

The name of the applet element

sha1.

Type: Hexadecimal string.

Example: “6cf755e7ada47b9bea97dadd65f6140ed1863ca2”.

The SHA1 hash of the applet element.

result.

Type: Integer

Example: 1.

The applet class: 1 if malicious, 0 if benign.