The Analysis details section displays the actual activities of the analysis subject, as collected by the NSX Advanced Threat Prevention service. An activity is used to determine an assessment of its type.

The following activities are displayed in this Analysis details section.

Activity Type Description
Network activity

Lists all URLs visited during the analysis, as well as additional web content requested or contained by the subject. Each additional URL is recorded together with its content type, the server status code, the server IP address, the response content hashes (MD5 and SHA1), the response content length, and the timing of the request (start time, end time, and duration in milliseconds).

Resources

Lists local resources that were accessed during the URL analysis via the res protocol. Malicious web pages sometimes access local resources to probe the execution environment; for example, to determine if certain programs are installed.

This section is displayed only if resources events were encountered during analysis.

Code execution activity

Lists code that was executed during the analysis. In particular, it displays interesting code that was statically included in a resource (using a <script> tag), and all the code that was dynamically generated and executed during the URL analysis. Malicious code is often generated at runtime in order to bypass static signatures and to make its analysis more complicated.

  • Static JavaScript code: Displayed only if relevant events were encountered during analysis.
  • Dynamic JavaScript code: Report indicates if no events were encountered during analysis.
  • HTML code: Code that has been added to the document dynamically through functions like document.write(). Report otherwise indicates if no events were encountered during analysis.

Hidden iframes

Lists hidden HTML tags, such as iframe, that have been detected during the navigation. Hidden elements are sometimes used in compromised pages to pull in malicious code from third-party websites.

This section is displayed only if hidden tags were encountered during analysis.

Memory contents Lists the strings that were found during the analysis.

This section is displayed only if strings were encountered during analysis.

Textual content

Shows the textual content extracted from a document.

This section is displayed only if text was found during analysis, PDF analysis only.

Links in documents

Shows the links that were found in analyzed documents.

This section is displayed only if links were encountered during the analysis.

Plugins Lists any use of common browser plugins. Calls to these plugins are recorded and the report contains the details about the invoked methods and the passed arguments.
Applets Shows the Java applets that were downloaded during the URL analysis.

This section is displayed only if applets were found during analysis.

Exploits The analysis environment has the capability to detect shellcode contained in analysis subjects. Detected shellcode are extracted and included in the report in hexadecimal format.
Shellcode The analysis environment has the capability to detect shellcode contained in analysis subjects. Detected shellcode are extracted and included in the report in hexadecimal format.
Processes Lists the processes that were spawned during the URL analysis.

This section is displayed only if spawned processes were found during analysis.

Dropped Files

Lists files that were stored on the system hard disk during the URL analysis.

This section is displayed only if file operations were encountered during analysis.