|
| S. no | Attributes/features | Description |
|
| 1 | Debug size | Debug is detecting and takes away errors from the computer system. Debug stands for the size of the debug directory table. Typically, Microsoft-executable files have a debug directory. Therefore, many benign applications may have a positive value for debug size. |
| 2 | DebugRVA (debug relative virtual address) | An RVA in the portable executable (PE) header, which has a value of zero, indicates the field has not used all tables, and structure fields must be united on their ordinary limits, with the possible exception of the debug information. |
| 3 | Major image version | It is the file version. This record is user-definable and not connected to the task of the application. Many benign programs have more varieties and a larger image version set. Malware distributes a 0 value. |
| 4 | MajorOSVersion (major operating system version) | It is the major operating system required to run .exe files. |
| 5 | ExportRVA (export relative virtual address) | RVA (relative virtual address) exports ordinals for table entry. The location is virtual to the commencement of the image base. The export address table holds the location of exported data, entry points, and absolutes. An ordinal value is used to index the export address table. |
| 6 | Export size | Present the size of the export records. Only DLLs, not runtime applications, have export tables. So, the vote of this feature may be positive for clean files, which contain many DLLs and 0 for virus files. |
| 7 | IatRVA | This means the relative-virtual address of the import-address table. The value of this feature is read chunks of 4096 bytes and cleanest files and 0 or a very large value for virus files. |
| 8 | Major linker version | The major version linker produced the file to the PE header in the major linker version, and the resources size malware will be sometimes 0 in the section of PE header. Malware sometimes has 0 resources. |
| 9 | Minor linker version | The minor version linker produced the file. |
| 10 | Number of sections | The amount of virtual memory to standby for the initial thread’s stack. |
| 11 | Size of stack reserve | The amount of virtual memory to reserve for the initial thread’s stack. |
| 12 | All characteristics | It is a set of flags indicating under which circumstances a dynamic-link library (DLL) initialization function |
| 13 | Resource size | It symbolizes the dimensions of the resource section. Some malware records may have no resources. Benign files may have higher resources. |
| 14 | Machine | Defines the architecture type of the computer. The program can be run only on a system that monitors this type. |
|
