File Details

ArchiveSplitAfter The object is a child of two or more split archive volumes where some portion of the child's data is found in the next volume in the split archive sequence.
ArchiveSplitBefore The object is a child of two or more split archive volumes where some portion of the child's data is found in the previous volume in the split archive sequence.
ArchiveSplitVolume unsigned 32-bit integer The 1-based volume number within a series of split archive volumes.
Identifiable split archive formats:
  • ACE
  • B1
  • CAB
  • RAR
  • ZIP
asciiart unsigned 32-bit integer The line number in a text object where an ASCII art barcode begins.
AutodecryptKeyNotFound The object is encrypted and auto-decrypt was attempted, but the correct decrypt key was not found.
ChildAutodecryptFailed The object contains at least one encrypted child that failed to auto-decrypt.
consoleversion major.minor The minimum major.minor version of Microsoft Management Console (MMC) required to load a Microsoft Saved Console (MSC) file.
crc32 32-bit hex string CRC-32 (Cyclic Redundancy Check 32) 32-bit checksum.
For Ogg Vorbis audio files this is the checksum of the first page's data. The generator polynomial is 0x04c11db7. The checksum is used to verify the page's integrity.
For ZIP files this is the checksum of the uncompressed file's data. The checksum is used to verify the file's integrity.
cve string Detected CVE (Common Vulnerabilities and Exposures) vulnerability.
Identified by a unique string formatted as cve-YYYY-NNNN.
YYYY is the year of the vulnerability's discovery or public disclosure.
NNNN is a sequential number assigned by the CVE Numbering Authority (CNA).
This standardized system helps organizations and security professionals identify, catalog, and communicate about security flaws in software and hardware.
Decrypted The object was successfully auto-decrypted.
Deleted The object is marked as deleted within its parent container.
For example, files stored in a File Allocation Table (FAT) file system image may be marked as deleted, but the deleted file’s content is often intact and can be successfully extracted.
Encrypted In its original/raw form, the object is encrypted.
ExtractedDocumentText The object is the plain-text version of its parent document.
extractversion unsigned 32-bit integer For an ARJ archive the minimum ARJ archive creation application required to extract the archive.
flags 8-bit hex string Bit-flags for an ARJ archive.
  • 0x01 = Not used
  • 0x02 = Old secured
  • 0x04 = Split ARJ; archive continues on the next disk
  • 0x08 = Not used
  • 0x10 = Path separator characters in the archive name have been translated from Windows “\” to Linux/Unix “/”
  • 0x20 = Backup archive
  • 0x40 = ARJ-Secured; archive modification are not allowed
genre string The genre of an MPEG audio file.
  • unknown
  • Blues
  • Classic Rock
  • Country
  • Dance
  • Disco
  • Funk
  • Grunge
  • Hip-Hop
  • Jazz
  • Metal
  • New Age
  • Oldies
  • Other
  • Pop
  • R&B
  • Rap
  • Reggae
  • Rock
  • Techno
  • Industrial
  • Alternative
  • Ska
  • Death Metal
  • Pranks
  • Soundtrack
  • Euro-Techno
  • Ambient
  • Trip-Hop
  • Vocal
  • Jazz+Funk
  • Fusion
  • Trance
  • Classical
  • Instrumental
  • Acid
  • House
  • Game
  • Sound Clip
  • Gospel
  • Noise
  • AlternRock
  • Bass
  • Soul
  • Punk
  • Space
  • Meditative
  • Instrumental Pop
  • Instrumental Rock
  • Ethnic
  • Gothic
  • Darkwave
  • Techno-Industrial
  • Electronic
  • Pop-folk
  • Eurodance
  • Dream
  • Southern Rock
  • Comedy
  • Cult
  • Gangsta
  • Top 40
  • Christian Rap
  • Pop/Funk
  • Jungle
  • Native American
  • Cabaret
  • New Wave
  • Psychadelic
  • Rave
  • Showtunes
  • Trailer
  • Lo-Fi
  • Tribal
  • Acid Punk
  • Acid Jazz
  • Polka
  • Retro
  • Musical
  • Rock & Roll
  • Hard Rock
  • Folk
  • Folk-Rock
  • National Folk
  • Swing
  • Fast Fusion
  • Bebob
  • Latin
  • Revival
  • Celtic
  • Bluegrass
  • Avantgarde
  • Gothic Rock
  • Progressive Rock
  • Psychedelic Rock
  • Symphonic Rock
  • Slow Rock
  • Big Band
  • Chorus
  • Easy Listening
  • Acoustic
  • Humour
  • Speech
  • Chanson
  • Opera
  • Chamber Music
  • Sonata
  • Symphony
  • Booty Brass
  • Primus
  • Porn Groove
  • Satire
  • Slow Jam
  • Club
  • Tango
  • Samba
  • Folklore
  • Ballad
  • Power Ballad
  • Rhythmic Soul
  • Freestyle
  • Duet
  • Punk Rock
  • Drum Solo
  • A Capela
  • Euro-House
  • Dance Hall
HasDecryptedChildren The object contains one or more decrypted child objects.
HasDecryptedPDFChild The object is a PDF and has an auto-decrypted PDF child object.
HasEncryptedChildren The object contains one or more encrypted child objects.
horizqtr unsigned 32-bit integer The horizontal quarter of the image (1, 2, 3, or 4) of the left edge of the first barcode symbol.
hostos unsigned 32-bit integer For an ARJ archive the host operating system on which the archive was created.
  • 0 = MS-DOS
  • 1 = PRIMOS
  • 2 = Unix
  • 3 = Amiga
  • 4 = MacOS
  • 5 = OS/2
  • 6 = Apple GS
  • 7 = Atari
  • 8 = Next
  • 9 = VAX VMS
hyperlinkschanged boolean For OLE2/OLESS Microsoft Word documents, 1 if the _PID_HLINKS property in the User Defined Property Set has changed outside of the application, which would require the application to update the hyperlink on document load.
Infected The object is malicious.
IsDecryptedPDFChild The object is an auto-decrypted PDF extracted as a child of an encrypted PDF.
Malformed Some aspect of the object's internal data structure is not as it should be.
MaxExtractDepthExceeded The object exists beyond the configured maximum recursive processing depth allowed.
MaxExtractRatioExceeded The object's uncompressed vs. compressed size ratio exceeds the configured maximum ratio.
MaxExtractSizeExceeded The object exceeds the configured maximum size allowed for a single extracted object.
MaxExtractTotalSizeExceeded The object exists beyond the configured maximum total size of all extracted objects.
MaxItemsPerDepthExceeded The object exists beyond the configured maximum number of objects allowed at this object's depth.
MaxProcessingTimeExceeded The configured maximum processing time was exceeded.
MaxTotalItemsExceeded The object exists beyond the configured maximum total number of extracted objects.
MaxURLsLengthExceeded The total combined length of all URLs extracted from the object exceeds 8K.
One or more URLs beyond the last one that fit were not extracted.
MicrosoftRemoteObjectTargetUsesIE An XML file contains a Microsoft-specific remote object Target URL that ends with either “.htm!” or “.html!”.
MIMEBodyPart The object is a MIME body part.
This is only set on extracted objects that are MIME body parts, not MIME attachments.
ncd string Comma-separated Nested Container Descriptor (NCD) depth-first list of object data type strings.
e.g. MIME,ZIP:DOCX,PDF,TIFF represents an email containing a DOCX document attachment containing an embedded PDF document containing a TIFF image.
nce string Comma-separated Nested Container Extensions (NCE) depth-first list of object extensions.
e.g. eml,docx,pdf,bmp represents an .eml email containing a .docx document attachment containing an embedded .pdf document containing a .bmp image.
NoDocumentText The object is a document that has no body text.
Obfuscated The object contains script logic that is commonly used to obfuscate malicious behavior.
ObfuscatedURLAttribute The object contains an HTML attribute that is an obfuscated URL reference.
PDFStream The object is a raw data stream extracted from a PDF document.
PKCS7Encrypted The object is MIME and is PKCS7-encrypted.
PKCS7Signed The object is MIME and is PKCS7-signed.
Redirect The object contains an HTML re-direct URL.
size unsigned 32-bit integer Barcode image width and height in pixels.
The image size is represented as two comma-separated positive integers (e.g. 300,200).
splitbtc unsigned 32-bit integer The number of consecutive string segments that were combined to form and extract a valid Bitcoin address.
The number of string segments is in the range 2 to 62 (the current maximum length of a valid Bitcoin address).
All other values are meaningless and therefore will never occur.
Suspicious The object exhibits signs of malicious behavior but may or may not actually be malicious.
type string The type of barcode detected within an image.
  • Unknown
  • Codabar
  • Code 39
  • Code 93
  • Code 128
  • Composite
  • DataBar
  • DataBarExpanded
  • EAN-2
  • EAN-5
  • EAN-8
  • EAN-13
  • ISBN-10
  • ISBN-13
  • I2/5
  • PDF 417
  • QR-Code
  • SQ Code
  • UPC-A
  • UPC-E
UnknownCompressedSize The object's compressed size is unknown.
UnknownUncompressedSize The object's uncompressed size is unknown.
version major.minor For a B1 archive the major.minor version of the B1 file format.
version "MPEG-2.5" MPEG 2.5 uses a specialized algorithm for audio sampled with a low frequency.

Additional details:
  • album
  • artist
  • comment
  • genre (see above)
  • layerdesc
    • Layer I
    • Layer II
    • Layer III
  • samplerate
    • 44.1kHz
    • 48kHz
    • 32kHz
  • title
  • year
version "MPEG-2 (ISO/IEC 13818-3)" MPEG-2 (a.k.a. H.222/H.262 as was defined by the International Telecommunication Union) is a standard for the general encoding of moving pictures and associated audio using a combination of lossy video compression and lossy audio data compression methods.
While MPEG-2 is not as efficient as newer standards such as H.264/AVC and H.265/HEVC, backwards compatibility with existing hardware and software means it is still widely used.

Additional details:
  • album
  • artist
  • comment
  • genre (see above)
  • layerdesc
    • Layer I
    • Layer II
    • Layer III
  • samplerate
    • 44.1kHz
    • 48kHz
    • 32kHz
  • title
  • year
version "MPEG-1 (ISO/IEC 11172-3)" MPEG-1 is a standard for lossy compression of video and audio.
MPEG-1 is the most compatible lossy audio/video format in the world and is used in countless products and technologies.
The first version of the well-known MP3 audio format was introduced by the MPEG-1 standard.

Additional details:
  • album
  • artist
  • comment
  • genre (see above)
  • layerdesc
    • Layer I
    • Layer II
    • Layer III
  • samplerate
    • 44.1kHz
    • 48kHz
    • 32kHz
  • title
  • year
version 32-bit hex string For a DAA (Direct Access Archive) the version of the DAA file format.
version unsigned 32-bit integer For a RAR archive either 4 (RAR4) or 5 (RAR5).

For an OLE2/OLESS Microsoft Word document, specifies the version of the application that wrote the property set storage.
The two high-order bytes specify an unsigned integer specifying the major version number.
The two low-order bytes specify an unsigned integer specifying the minor version number.
The value MUST have the major version number set to a nonzero value, and the minor version number SHOULD be 0x0000.
The minor version number MAY be set to the minor version number of the application that wrote the property set storage.
vertqtr unsigned 32-bit integer The vertical quarter of the image (1, 2, 3, or 4) of the top edge of the first barcode symbol.
WrongExtension The object's file extension does not match its identified file type.