Sign in

Malware

A four-tier classifier that answers a single question about a compiled binary: is this malicious?

4 tiers · 19 semantic detectors across 7 threat categories · 0 false positives on the benign baseline · score-and-promote composition over the engine's other security surfaces.

The classifier is deterministic and reads only static facts the engine already produces. No execution, no sandbox, no hash lookup, no ML. Weights and thresholds are hand-tuned against a measured corpus and pinned in tests so a regression that loosens separation reds CI.

The four tiers

TierScoreWhat it means
Benign< 15No suspicious composition. The dominant case for legitimate software.
Suspicious15 – 34Composition suggests caution. Pen-testing utilities, dual-use tooling, and aggressive ad-tech live here legitimately.
LikelyMalicious35 – 69Composition matches malware shape. Worth analyst review.
Malicious≥ 70Composition is decisive. Multiple independent malware patterns at once.

The boundaries (15, 35, 70) are the lowest values that hold zero false positives on the benign baseline while keeping every malware sample at Suspicious or above.

Promotion rule. Any single semantic finding fires the binary into at least LikelyMalicious, even if the numeric score is below 35. The semantic detectors are precision-floor by design — each fires only when a multi-primitive shape resolves at a specific call site. A process_hollowing hit on a binary that otherwise looks clean is the canonical case: aggregate signals are quiet because the binary does one thing, but the one thing is unambiguous.

Negative clamp. Some signals subtract points (a binary with Hardened Runtime and a valid Developer ID signature loses points). The clamp floors scores at zero before the tier lookup so a heavily-scrubbed binary can't underflow the bucket.

The seven threat categories

CategoryDetectorsWeight rangeWhat it catches
Persistence340–50Auto-start mechanisms across macOS, Linux, Windows
Code injection and execution550–75Process hollowing, reflective load, API-hash resolvers, ObjC swizzling, dyld injection
Surveillance and TCC bypass440–65Keystroke capture, screen capture, clipboard, TCC subversion
Credential theft1 (4 shapes)45–55Four independent keychain-dump routes
C2 and network evasion340–45Hardcoded callback URIs, SSL-pinning bypass, bundle-ID masquerade
Process reconnaissance135Linux /proc walks and macOS process-enumeration imports
Low-level execution240LOLBin command literals and resolved subprocess arguments

Each detector walks the SSA-form IL, the resolved call graph, and constant-propagation results, and fires only when its multi-primitive pattern resolves at a specific call site. Weights are per-hit.

Persistence

Code injection and execution

Surveillance and TCC bypass

Credential theft

C2 and network evasion

Process reconnaissance

Low-level execution

Score composition (aggregation rules)

In addition to the semantic detectors above, five families of shallow signals accumulate evidence. None alone fires the tier, but they add up — and the indicator-category and consistency hits in particular are where most benign binaries earn their few points.

SignalWeightWhy it scores
Loader density20 if ≥ 0.01 calls/KB, 10 if ≥ 0.005Real packers and reflective loaders trip the upper bucket; legitimate plugin hosts trip the lower
Max section entropy15 if any section ≥ 7.95 bits/byteThe packed-payload signal
Embedded carrier in overlay15Embedded Mach-O, ELF, or PE in the overlay region — the dropper signal
Indicator-category hits10/Communication, 10/Collection, 15/AntiAnalysis, 25/MalwareFamilyPersistence, Crypto, DataManipulation score zero — they fire equally on benign and malicious code
Consistency divergences30 ad-hoc-privileged or bundle-ID impersonation; 20 private entitlement on non-Apple; 15 capability used without entitlement; 10 capability via dlopen; 5 declared-but-unusedOrdered by how decisive the inconsistency is

Corpus and evaluation

Thresholds are pinned from measurement on:

Three hard gates run on every release:

  1. Zero false positives on benign. Every benign fixture must classify Benign. A single Suspicious-or-above on the benign set reds the gate.
  2. Floor on malware. Every malware fixture must classify at least Suspicious.
  3. Median separation. The median malware score minus the median benign score must be ≥ 15 points. Catches drift that doesn't trip the per-fixture gates but erodes the headroom between them.

What it composes over

Malware classification is pure composition over the engine's earlier surfaces. Nothing here reads bytes or walks the IL directly — every signal it sums is already in the analysis output (packing, entropy, embedded carriers, indicator hits, consistency divergences) or in the findings stream (the semantic shape detectors, which are themselves CWE-tagged).

The four security surfaces have a strict dependency order:

analyze → indicators → findings (CWE) → malware (verdict)

A binary that fires CWE-94 (dynamic code via dlopen with a tainted argument) emits a finding to the Findings stream. The same call-site shape that produced the finding also feeds the malware composer, where it gets a weight and contributes to the tier verdict. The finding and the verdict are not duplicates — they are different read-outs of the same fact for different consumers. An auditor reading findings wants the per-CWE detail; a triage pipeline reading malware wants the verdict.

The four surfaces are independent at the consumer level. A binary that scores Malicious can have zero CWE findings (a well-written implant). A binary that scores Benign can have dozens (legacy code that hasn't been audited). A binary with thirty SBOM CVEs can score Benign (a Linux distribution image with old packages). Agreement is informative; disagreement is also informative.

Where this fits

The verdict is one decision per binary. openbinary surfaces it on every binary page; CI pipelines key alerts on tier transitions (a binary that was Benign in v1.0 and is LikelyMalicious in v1.1 is a release-blocker even if no individual finding or indicator changed); the Compare view diffs verdicts across versions of the same package, since a tier promotion across a patch release is the canonical supply-chain compromise signal.

See Findings for the CWE catalog the verdict composes over, Indicators for the capability signals it weighs, and CVEs & SBOM for the parallel version-based surface that runs on the same input.