Obfuscated Files or Information: Binary Padding

Created the Wednesday 15 February 2023. Updated 6 months, 2 weeks ago.

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures. The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware. Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.

Technique Identifier

T1027.001

Technique Tags

Defense Evasion checksum manipulation avoid hash-based blocklists avoid static anti-virus signatures append junk data append random binary data maximum file size APT29 APT32 maximum file size

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Obfuscated Files or Information: Binary Padding, Sub-technique T1027.001 - Enterprise | MITRE ATT&CK®