YARA looks at: Filesize Strings Etc.. All these things can be spoofed. Certain malware inflate themselves with garbage code. Certain malware Obfuscation