Base64 Encoded File Signatures

Inspired by a post by John Lambert and others who contributed, I've put together a table of Base64 encodings for certain file signatures and script elements often encountered in malware analysis.

Due to the nature of Base64 encoding, there are different possibilities of the encoding result depending on the placement of the bytes in the overall structure of the blob. Using CyberChef all the possible Base64 offsets can be determined. However, in the below tables for ease I've only included the fixed bytes as if the header was at the start of the blob of Base64.

For those files that don't have a readable signature, this simple CyberChef recipe will change the hex values to display their Base64 offsets.

File Signatures

File signatures, aka 'magic bytes' or 'file headers', are static bytes that appear at the start of files.

File Type File Signature Base64 Encoding
DOS Executable MZ TV
RAR Compressed Rar! UmFyI
Office/Zip PK UE
Rich Text Format {\rtf e1xydG
Compound Binary File (.doc etc.) D0 CF 11 E0 A1 B1 1A E1 0M8R4KGxGu
Gzip 1F 8B 08 H4sI

Common Script Elements

These script elements are common leading commands that can be encountered during script analysis.

Script Element Base64 Encoding
http aHR0c
$\x00 JA
iex ( aWV4IC
cmd.exe / Y21kLmV4ZSAv
certutil Y2VydHV0aW
wscript d3Njcmlwd
schtasks c2NodGFza3
eval ZXZhb

This post was essentially to save a series of Tweets that I found useful. It is not complete and if you want to add further entries please let me know at [email protected] or @mattnotmax


File headers:

Article Link: