mlab mlab Academy
File Analysis

Reading a file analysis report

Deciphering sandbox and antivirus reports: understanding verdicts and key indicators.

1 Introduction

A file analysis report is like a medical check-up report for a suspicious file. When a doctor examines a patient, they run blood tests, take X-rays, and check vital signs before giving a diagnosis. Similarly, when a security tool analyzes a suspicious file, it performs dozens of checks and compiles the results into a structured report. Learning to read these reports is a fundamental skill for any cybersecurity analyst.

70+

Antivirus engines on VirusTotal

2 types

Static analysis and dynamic analysis

60 sec

Average sandbox execution time

2 How It Works

A file analysis report typically follows a standard structure. Understanding each section helps you quickly assess whether a file is dangerous and what it does.

Structure of a typical report

1

Verdict

The overall conclusion: clean, suspicious, or malicious. Often shown as a score or color.

2

Detection names

Labels given by antivirus engines (e.g., "Trojan.GenericKD.46543210"). Each vendor uses its own naming scheme.

3

Static analysis

Examination without running the file: file type, size, metadata, embedded strings, imported functions.

4

Dynamic analysis

The file is executed in a sandbox and its behavior is observed: network connections, file changes, registry modifications.

3 Detailed Analysis

Understanding the verdict

Detection ratio

On platforms like VirusTotal, you will see a score like "23/70" meaning 23 out of 70 antivirus engines flagged the file. A high ratio is a strong indicator of malware, but even a low ratio deserves attention.

False positives

Sometimes legitimate software triggers a few detections. If only 1-2 obscure engines flag a file and major engines say it is clean, it may be a false positive. Context matters.

Detection names decoded

Names like "Trojan.Win32.Agent.abc" follow a pattern: [Type].[Platform].[Family].[Variant]. Not all vendors use the same scheme, but the type (Trojan, Worm, Ransom) tells you the malware category.

Static analysis: what to look for

File metadata

Check the file type, size, creation date, and any embedded metadata. A Word document that is actually a renamed .exe is immediately suspicious.

Embedded strings

Readable text extracted from the file. Look for URLs, IP addresses, registry paths, or suspicious commands. Malware often contains strings related to its functionality.

Imported functions (PE files)

Windows executables import system functions. Functions like CreateRemoteThread, VirtualAllocEx, or WriteProcessMemory suggest code injection capabilities.

Dynamic analysis: behavior under observation

Network activity

Does the file try to connect to external servers? DNS queries, HTTP requests, and outbound connections reveal command-and-control infrastructure.

File system changes

Does it create, modify, or delete files? Dropping executables in temp folders or modifying system files is classic malware behavior.

Registry modifications

On Windows, malware often adds registry keys to survive reboots (persistence). Run keys and scheduled tasks are common targets.

Process activity

Does it spawn child processes, inject code into other programs, or escalate privileges? These behaviors strongly suggest malicious intent.

Try it on mlab.sh

Upload a file to get a full analysis report with detection verdicts, static metadata, and behavioral indicators. Practice reading the same report sections covered in this module.

Analyze a file on mlab.sh

4 Red Flags

High detection ratio

If more than 10 engines flag a file, it is very likely malicious. Do not open it under any circumstances.

Outbound connections to unknown IPs

If dynamic analysis shows the file contacting external servers, especially on unusual ports, it is likely calling home to a command-and-control server.

Packed or obfuscated code

If the report mentions packers (UPX, Themida) or high entropy sections, the file is trying to hide its true contents. Legitimate software rarely needs this.

Sandbox evasion detected

Some malware checks if it is running in a sandbox and refuses to execute. If the report notes evasion techniques, the file is almost certainly malicious.

Persistence mechanisms

If the file creates startup entries, scheduled tasks, or services, it wants to survive reboots. This is a hallmark of malware aiming for long-term access.

Powered by mlab.sh

Related Modules

Understanding MD5, SHA1, SHA256

Deep dive into hashing algorithms: strengths, weaknesses, and use cases.

Recognizing a malicious file

Warning signs to look for before opening a suspicious file.

What is malware?

Viruses, ransomware, trojans: understanding the different families of malicious software.