Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Example: bytes-pattern

Inputs

  • examples/inputs/bytes-pattern-samples/sample.elf
  • examples/inputs/bytes-pattern-samples/sample.exe
  • examples/inputs/bytes-pattern-samples/sample.gif
  • examples/inputs/bytes-pattern-samples/sample.jpg
  • examples/inputs/bytes-pattern-samples/sample.pdf
  • examples/inputs/bytes-pattern-samples/sample.png
  • examples/inputs/bytes-pattern-samples/sample.zip

Profile

# Bytes Pattern Example Profile
# Demonstrates detection of file format magic bytes and binary patterns

decode = []

max-file-size = 10485760  # 10 MiB

tag = "bytes-pattern"

# Common file format magic bytes
[[patterns]]
  name = "PDF Header"
  pattern = "25:50:44:46"
  type = "bytes"

[[patterns]]
  name = "PNG Header"
  pattern = "89:50:4E:47:0D:0A:1A:0A"
  type = "bytes"

[[patterns]]
  name = "JPEG Header"
  pattern = "FF:D8:FF"
  type = "bytes"

[[patterns]]
  name = "GIF Header"
  pattern = "47:49:46:38"
  type = "bytes"

[[patterns]]
  name = "ZIP Header"
  pattern = "50:4B:03:04"
  type = "bytes"

[[patterns]]
  name = "RAR Header"
  pattern = "52:61:72:21:1A:07"
  type = "bytes"

[[patterns]]
  name = "7z Header"
  pattern = "37:7A:BC:AF:27:1C"
  type = "bytes"

[[patterns]]
  name = "ELF Header"
  pattern = "7F:45:4C:46"
  type = "bytes"

[[patterns]]
  name = "PE MZ Header"
  pattern = "4D:5A"
  type = "bytes"

[[patterns]]
  name = "Office 2007+ (OOXML)"
  pattern = "50:4B:03:04:14:00:06:00"
  type = "bytes"

# Suspicious binary patterns
[[patterns]]
  name = "Null Sled"
  pattern = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"
  type = "bytes"

[[patterns]]
  name = "NOP Sled (x86)"
  pattern = "90:90:90:90:90:90:90:90"
  type = "bytes"

Report outputs

Triage report (converted from triage_report.json)

total_files7
critical_count0
high_count0
medium_count0
low_count0
minimal_count7
must_investigate_count0
all_scoresNone
generated_at2025-12-03T09:19:43.962770608+00:00

top_scores

characteristics_scorefile_typefile_type_scoremust_investigatepathpattern_count_scorepattern_matchespattern_severity_scorereasonsrisk_levelscoresha256
0Executable15False/sample.exe510["1 suspicious patterns detected"]Minimal20d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4
0Archive10False/sample.zip510["1 suspicious patterns detected"]Minimal1556a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2
0Document5False/sample.pdf510["1 suspicious patterns detected"]Minimal10d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf
0Other0False/sample.jpg510["1 suspicious patterns detected"]Minimal5b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098
0Other0False/sample.png510["1 suspicious patterns detected"]Minimal5c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735
0Other0False/sample.gif510["1 suspicious patterns detected"]Minimal55bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368
0Other0False/sample.elf510["1 suspicious patterns detected"]Minimal5231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5

CSV outputs

errors.csv

Empty CSV

files.csv

pathfile_namesha256file_createdfile_modifiedfile_accessedmime_types_from_file_extensionis_symbolic_linkis_extracted_fileis_decoded_fileis_deobfuscated_filetag
/sample.zipsample.zip56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e22025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["application/zip"]0000
/sample.jpgsample.jpgb6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a0982025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["image/jpeg"]0000
/sample.pngsample.pngc42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b7352025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["image/png"]0000
/sample.gifsample.gif5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a43682025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["image/gif"]0000
/sample.exesample.exed16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a42025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["application/x-dosexec","application/x-dosexec","application/x-ms-ne-executable","application/vnd.microsoft.portable-executable"]0000
/sample.pdfsample.pdfd0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdf2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["application/pdf"]0000
/sample.elfsample.elf231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a52025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z2025-12-03T08:56:20.495889189Z["application/x-executable"]0000

pattern_matches.csv

idsha256pattern_namematch_typematchlocationlength
156a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e2ZIP HeaderbytesPK04
2b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098JPEG Headerbytes���03
3c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735PNG Headerbytes�PNG08
45bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368GIF HeaderbytesGIF804
5d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4PE MZ HeaderbytesMZ02
6d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdfPDF Headerbytes%PDF04
7231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a5ELF HeaderbytesELF04

signature_matches.csv

Empty CSV

unique_files.csv

sha256sha1md5file_sizemime_type_for_contentshannon_entropy
d16ee5307c6e0496c864459af449e0c656e4d8e5bdfee83af451fb2dd7ff64a4fafd69e17d88a9ae35109fa3779319c4608aab70a96dd69ec3fb1cdc5a3e3f294dae43e944application/octet-stream4.35327174447691
56a388646e23dc611a253164567dcbea2ceb47e2ce09b7f8e68a19c7f6d9f5e203807180f234ac4604b248483d674d3a9569a29b1bbc604980f4148810b652723090d7f442application/octet-stream4.66935247095495
b6ecc495cbd46cc09da3f32ebdb94a81712e1986bde12a8706f36fd6dcc8a098d37f332b2d81aa9c45807f10d17c0994d58f65330c908b4e1f9603e2f5923bb245178ced34image/jpeg4.55805107654446
c42551b23e7594bfd846066c9c898cb611c17146ff79dfa892afeded01d3b735cf896d9a3db62a00d319b059066913ad8341e8c4014197e91280729f9d45a58b8e15419644image/png4.57035399411994
5bb6b67a22ce0b967a1cf687f3d00bb8b433fcc39d298cde9a67597f258a4368c764e4297f27a68e0c41836821094fc747c6d1a749752eea6c6ad2a78c6fb6aacda6755648image/gif4.17609473185782
d0958bf2d40e26b2328c44773a9046034fb66ccdbabdb79d2d750bbeffdcfcdfc32c560d7176d306a6064aa8d08eef2a1f3c3ea10c7faf0fa95a6884de094d634186f46d73application/pdf4.30826328831621
231c966fcf4e051785578a1cc41fd52e0ba3d56b72ebcdb2f68600c95fa927a52ff43a51e0a70b5b1653438b1481c018944c1a5bf1dab7b7b2f093a3283f36b4e8b9c59841application/x-executable4.25951419952897