Magic module

New in version 3.1.0.

The Magic module allows you to identify the type of the file based on the output of file, the standard Unix command.

Important

This module is not built into YARA by default, to learn how to include it refer to Compiling and installing YARA. Bad news for Windows users: this module is not supported on Windows.

There are two functions in this module: type() and mime_type(). The first one returns the descriptive string returned by file, for example, if you run file against some PDF document you’ll get something like this:

$file some.pdf
some.pdf: PDF document, version 1.5

The type() function would return “PDF document, version 1.5” in this case. Using the mime_type() function is similar to passing the --mime argument to file.:

$file --mime some.pdf
some.pdf: application/pdf; charset=binary

mime_type() would return “application/pdf”, without the charset part.

By experimenting a little with the file command you can learn which output to expect for different file types. These are a few examples:

  • JPEG image data, JFIF standard 1.01
  • PE32 executable for MS Windows (GUI) Intel 80386 32-bit
  • PNG image data, 1240 x 1753, 8-bit/color RGBA, non-interlaced
  • ASCII text, with no line terminators
  • Zip archive data, at least v2.0 to extract
type()

Function returning a string with the type of the file.

Example: magic.type() contains “PDF”

mime_type()

Function returning a string with the MIME type of the file.

Example: magic.mime_type() == “application/pdf”