Base64 Encoded File Signatures

Inspired by a post by John Lambert and others who contributed, I've put together a table of Base64 encodings for certain file signatures and script elements often encountered in malware analysis.

Due to the nature of Base64 encoding, there are different possibilities of the encoding result depending on the placement of the bytes in the overall structure of the blob. Using CyberChef all the possible Base64 offsets can be determined. However, in the below tables for ease I've only included the fixed bytes as if the header was at the start of the blob of Base64.

[cyberchef_base64_offsets

For those files that don't have a readable signature, this simple CyberChef recipe will change the hex values to display their Base64 offsets.

[base64_hex_header]

File Signatures

File signatures, aka 'magic bytes' or 'file headers', are static bytes that appear at the start of files.

File TypeFile SignatureBase64 Encoding
DOS ExecutableMZTV
RAR CompressedRar!UmFyI
PDF%PDFJVBER
Office/ZipPKUE
Rich Text Format{\rte1xyd
Compound Binary File (.doc etc.)D0 CF 11 E0 A1 B1 1A E10M8R4KGxGu
Gzip1F 8B 08H4sI

Common Script Elements

These script elements are common leading commands that can be encountered during script analysis.

Script ElementBase64 Encoding
httpaHR0c
$\x00JA
iex (aWV4IC
cmd.exe /Y21kLmV4ZSAv
certutilY2VydHV0aW
wscriptd3Njcmlwd
schtasksc2NodGFza3
evalZXZhb

This post was essentially to save a series of Tweets that I found useful. It is not complete and if you want to add further entries please let me know at matt@bitofhex.com or @mattnotmax


References:

File headers: https://www.garykessler.net/library/file_sigs.html
Refinement of RTF signature: @decalage2