Sample Artifacts

Sample artifacts are artifacts that WildFire associates with samples only. You can find the following artifact types when you view Sample Details, in the File Analysis details of a sample.
Artifact Type
Search with this Artifact Type to Find...
Compilation Timestamp
The date and time when a Portable Executable (PE) file was created.
Digital Signer
The digital signature that identifies the sender of the sample.
File Type
The file type of the sample. Examples include Email Link, Adobe Flash File, and PDF.
File Size
The size of the sample in bytes.
Finish Date
The date and time when WildFire analysis of the sample completed and the sample received a WildFire verdict.
First Seen
The date and time that the sample was first forwarded or uploaded to WildFire. You can search for samples based on relative dates and absolute dates. Using a relative date allows you to select a date range based on the current time as a reference point, while the absolute date allows you to specify an exact point in time.
Import Table Hash
An import hash, or imphash, is a hash based on the order that API functions are listed in the import table of a Portable Executable (PE). Imphashes can be used to identify similar samples that might belong to the same malware family.
Imphashes are listed for malware and grayware samples only (not benign samples).
Last Updated
The date and time when WildFire changed the verdict for a sample.
MD5
The sample’s unique cryptographic hash generated using the MD5 message-digest algorithm.
Region
Every WildFire cloud (global or regional) to which a sample was submitted for analysis. The sample details list all of the WildFire clouds to which firewalls submitted the sample (different firewalls can submit the same sample to different WildFire clouds).
  • US
    —WildFire global cloud
  • EU
    —WildFire EU cloud
  • JP
    —WildFire Japan cloud
  • SG
    —WildFire Singapore cloud
To find samples that have been submitted to only a single WildFire cloud (and no other WildFire clouds), set up a search for a WildFire cloud. Then, add search conditions excluding samples submitted to the other WildFire clouds from the search results. For example, to search for samples that users submitted to the WildFire global cloud only, search with the condition
Region
is
US
combined with the condition
Region
is not
for each of the other WildFire clouds.
SHA1
The sample’s unique cryptographic hash generated using the Secure Hash Algorithm 1.
SHA256
The sample’s unique cryptographic hash generated using Secure Hash Algorithm 256.
Ssdeep Fuzzy Hash
The fuzzy hash (generated by the ssdeep program) associated with the sample.
The ssdeep program generates an ssdeep hash value, or a fuzzy hash, for a sample which can be used to identify samples that are very similar but not exactly alike. The ssdeep prfirewogram allows you to compare sample fuzzy hashes to produce a percentage that indicates how closely the samples match. In ssdeep, a high percentage indicates a high number of similarities between the samples.
In AutoFocus, fuzzy hashes are listed for malware and grayware samples only (not benign samples).
WildFire Verdict
WildFire assigns a verdict of Malware, Grayware, Benign, or Phishing to the sample based on properties, behaviors, and activities observed for the file or email link during static and dynamic analysis.

Related Documentation