Analysis report contains the detailed results of a file submission to the cloud. The Overview tab shows a high-level summary of the file analysis. The Report tab shows key information about the analysis that was performed on the file.
Overview Tab
The overview information is organized in the following sections.
- Analysis Overview
-
This section provides a summary of the file analysis results. The following data is displayed:
- MD5 hash
- SHA1 hash
- SHA256 hash
- MIME type
- Submission timestamp
- Threat Level
-
This section starts with a summary of the analysis findings.
For example: The file md5_hash was found to be Malicious.
After the summary, the following data is displayed:
- Risk Assessment
-
- Maliciousness score: A score out of 100.
- Risk estimate: An estimate of the risk posed by the artifact.
- High: The artifact represents a critical risk and must be addressed in priority. Such subjects are typically Trojan files or documents that contain exploits, leading to major compromises of the infected system. The risks are multiple: from information leakage to the system dysfunction. These risks are partially inferred from the type of activity detected. The score threshold for this category is usually ≥ 70.
- Medium: The artifact represents a long-term risk and must be monitored closely. Such subjects can be a Web page containing suspicious content, potentially leading to drive-by attempts. They can also be adware or fake antivirus products that do not pose an immediate serious threat but can cause issues with the functioning of the system. The score threshold for this category is usually from 30–69.
- Low: The artifact is benign and can be ignored. The score threshold for this risk estimate is usually below 30.
- Antivirus class: The antivirus or malware class to which the artifact belongs. For example, Trojan horse, worm, adware, ransomware, spyware, and so on.
- Antivirus family: The antivirus or malware family to which the artifact belongs. For example, valyria, darkside, and so on.
- Analysis Overview
-
The data is sorted by severity, and includes the following fields:
- Severity: A score between 0–100 of the maliciousness of the activities detected during analysis of the artifact. Additional icons indicate in which operating systems the corresponding activity was observed during the analysis.
- Type: The types of activities detected during analysis of the artifact. These include:
- Autostart: Ability to restart after a machine shutdown.
- Disable: Ability to deactivate critical components of the system.
- Evasion: Ability to evade analysis environment.
- File: Suspicious activity on the file system.
- Memory: Suspicious activity within the system memory.
- Network: Suspicious activity at the network level.
- Reputation: Known source or signed by a reputable organization.
- Settings: Ability to permanently alter critical system settings.
- Signature: Malicious subject identification.
- Steal: Ability to access and potentially leak sensitive information.
- Stealth: Ability to remain unnoticed by users or analysis systems.
- Silenced: Benign subject identification.
- Description: A description corresponding to each type of activity detected during analysis of the artifact.
- ATT&CK TACTICS: The MITRE ATT&CK stage or stages of an attack. Multiple tactics are separated by commas.
- ATT&CK TECHNIQUES: The observed actions or tools a malicious actor might use. Multiple techniques are separated by commas.
- Additional Artifacts
-
This section lists additional artifacts (files and URLs) that were observed during the analysis of the submitted sample and that were in turn submitted for in-depth analysis. This section includes the following fields:
- Description: Describes the additional artifact.
- SHA1: The SHA1 hash of the additional artifact.
- Content Type: The MIME type of the additional artifact.
- Score: The maliciousness score of the additional artifact.
- Decoded Command Line Arguments
- If any PowerShell scripts were executed during the analysis, the system decodes these scripts, making its arguments available in a more human-readable form.
- Third-party Tools
- A link to a report on the artifact on VirusTotal portal.
Report Tab
Click the down-arrow on the Report tab and select a report to view. The information in the report varies depending on the type of file that was analyzed.
- Analysis Information
-
This section contains the following key information about the analysis that the current report refers to:
- Analysis subject: The MD5 hash of the file.
- Analysis type: The type of analysis that was performed:
- Dynamic analysis on Microsoft Windows 10: The analysis subject was run in a virtual Windows 10 environment using the VMware NSX® Network Detection and Response™ sandbox. The system monitors the file behavior and its interactions with the operating system looking for suspicious or malicious indicators.
- Dynamic analysis on Microsoft Windows 7: The analysis subject was run in a virtual Windows 7 environment using the sandbox. The system monitors the file behavior and its interactions with the operating system looking for suspicious or malicious indicators.
- Dynamic analysis in instrumented Chrome browser: The analysis subject (such as an HTML file or URL) was inspected using the instrumented browser, which is based on Google Chrome. The instrumented browser reproduces faithfully the behavior of the real browser and therefore is not easily fingerprinted by malicious content.
- Dynamic analysis in emulated browser: The analysis subject (such as an HTML file or URL) was inspected using the emulated browser. The emulated browser can dynamically emulate different browser "personalities" (for example, changing its user-agent or varying the APIs that it exposes). This capability is useful when analyzing malicious content that targets specific browser types or versions. The drawback of this analysis type is that this browser is less realistic and can possibly be fingerprinted by malicious content.
- Dynamic analysis in simulated file-viewer: The analysis subject (such as a PDF file) was inspected using the simulated file-viewer. The viewer can detect embedded contents and links.
- Archive inflation: The analysis subject (an archive) was inflated, its contents were extracted and, if of appropriate type, was submitted for analysis.
- Password used: If available, the password that was used in the backend to successfully decrypt the sample, is provided.