...
|
...
|
@@ -395,9 +395,8 @@ MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]]
|
395
|
395
|
\begin{itemize}
|
396
|
396
|
\item 0 = any file
|
397
|
397
|
\item 1 = Portable Executable, both 32- and 64-bit.
|
398
|
|
- \item 2 = file inside OLE2 container (e.g. image, embedded executable,
|
399
|
|
- VBA script). The OLE2 format is primarily used by MS Office and MSI
|
400
|
|
- installation files.
|
|
398
|
+ \item 2 = OLE2 containers, including their specific macros. The OLE2
|
|
399
|
+ format is primarily used by MS Office and MSI installation files.
|
401
|
400
|
\item 3 = HTML (normalized: whitespace transformed to spaces, tags/tag
|
402
|
401
|
attributes normalized, all lowercase), Javascript is normalized too:
|
403
|
402
|
all strings are normalized (hex encoding is decoded), numbers are
|