Sandboxes are synonymous with dynamic malware evaluation. They assist to execute malicious information in a secure digital atmosphere and observe their habits. Nonetheless, in addition they provide loads of worth when it comes to static evaluation. See these 5 situations the place a sandbox can show to be a great tool in your investigations.
Detecting Threats in PDFs
PDF information are incessantly exploited by risk actors to ship payloads. Static evaluation in a sandbox makes it potential to reveal any risk a malicious PDF incorporates by extracting its construction.
The presence of JavaScript or Bash scripts can reveal a potential mechanism for downloading and executing malware.
Sandboxes like ANY.RUN additionally permits customers to scrutinize URLs present in PDFs to determine suspicious domains, potential command and management (C2) servers, or different indicators of compromise.
Instance:
 |
| Static evaluation of a PDF file in ANY.RUN |
Interactivity permits our customers to control information inside a VM as they want, however static Discovery gives much more alternatives.
As a part of this evaluation session, the static module lists a number of URLs that may be discovered contained in the PDF. To analyze them, we will submit every of those for additional sandbox evaluation by merely clicking a corresponding button.
See how static and dynamic evaluation within the ANY.RUN sandbox can profit your safety staff.
E-book a private demo of the service right now!
Exposing LNK Abuse
LNK information are shortcuts that direct to an executable file, a doc, or a folder. A sandbox can present a clear view of the LNK file’s properties, corresponding to its goal path, icon location, and any embedded instructions or scripts.
Viewing instructions in LNK information can reveal makes an attempt to launch malicious software program or connect with distant servers.
Static evaluation in a sandbox is especially helpful in figuring out threats that don’t spawn a brand new course of. These will be troublesome to detect by dynamic evaluation alone.
Instance:
 |
| The command line arguments proven within the static module reveal malicious exercise |
Analyzing the contents of LNK information may also help you detect assaults earlier than they start.
In this sandbox session, we will uncover each element concerning the LNK file, together with its command line arguments which present that the file is configured to obtain and execute a payload from a malicious URL.
Investigating Spam and Phishing Emails
Electronic mail stays one of the frequent vectors for malware distribution. A sandbox helps you to add an e-mail file to the service and analyze it safely to identify spam and hidden malicious components quicker and with none threat to your infrastructure.
A sandbox reveals an e-mail preview and lists metadata and Indicators of Compromise (IOCs). You’ll be able to study the content material of the e-mail with out opening it and examine the metadata that gives details about the e-mail’s origin, timestamps, and different related particulars.
The ANY.RUN sandbox additionally integrates RSPAMD, an open-source module that assigns a phishing rating to every analyzed e-mail and shows all of its components utilizing these options:
- Header Evaluation: Examines e-mail headers for sender authenticity and anomalies.
- Popularity Checks: Identifies identified spam/malware sources utilizing DNSBLs and URIBLs.
- Bayesian Filtering: Classifies emails based mostly on probabilistic evaluation.
In ANY.RUN, you may transfer past static evaluation and work together with the e-mail straight such as you would by yourself pc. This implies you may obtain and open attachments, together with password-protected ones, or comply with by the whole phishing assault, ranging from the preliminary hyperlink.
Instance:
 |
| Particulars of an .eml file static evaluation |
All content material inside EMAIL information is extracted and made accessible by static evaluation within the sandbox, permitting customers to view particulars about it even with out accessing the VM itself.
In this evaluation session, we will observe a .RAR attachment which accompanies the e-mail. On condition that one of many information situated within this archive is an executable named “Commercial Invoice PDF”, we will immediately assume its malicious nature.
To research the executable, we will merely click on the “Submit to analyze” button and launch a brand new sandbox session.
Analyzing Suspicious Workplace Paperwork
Microsoft Workplace paperwork, corresponding to Phrase, Excel, and PowerPoint ones, are one of many main safety dangers in each company and private settings. Sandbox static evaluation will be employed to scrutinize numerous components of such paperwork with out opening them. These embody:
- Content material: Sandbox static evaluation lets you study the doc’s content material for indicators of social engineering techniques, phishing makes an attempt, or suspicious hyperlinks.
- Macros: Attackers typically exploit Visible Primary for Functions (VBA) code in Workplace paperwork to automate malicious duties. These duties can vary from downloading and executing malware to stealing delicate information. ANY.RUN reveals the whole execution chain of the script, enabling you to check it step-by-step.
- Photos and QR Codes: Steganography methods let attackers conceal code inside photos. Sandbox static evaluation is able to extracting this hidden information. QR codes embedded inside paperwork may additionally include malicious hyperlinks. A sandbox can decode these and expose the potential threats.
- Metadata: Details about the doc’s creation, modification, creator, and so forth. may also help you perceive the doc’s origin.
Instance:
 |
| The sandbox can present a preview of Workplace information |
Microsoft Workplace information are available in numerous codecs, and analyzing their inside construction can typically be difficult. Static Discovery for Workplace information means that you can study macros without having extra instruments.
All embedded information, together with photos, scripts, and executable information, are additionally accessible for additional evaluation. QR codes are detected throughout static evaluation, and customers can submit a brand new activity that opens the content material encoded in these codes, corresponding to URLs.
In this session, static evaluation makes it potential to see that the analyzed .pptx file incorporates a .zip archive.
Wanting Inside Malicious Archives
Archives like ZIP, tar.gz, .bz2, and RAR are incessantly used as means to bypass fundamental detection strategies. A sandbox atmosphere offers a secure and remoted house to research these information.
As an example, sandboxes can unpack archives to disclose their contents, together with executable information, scripts, and different doubtlessly malicious parts. These information can then be analyzed utilizing the built-in static module to reveal their threats.
Instance:
 |
| ZIP file construction displayed within the static evaluation window |
In ANY.RUN, customers can submit information for brand spanking new evaluation straight from archived information from the static discovery window. This eliminates the necessity to obtain or manually unpack them inside a VM.
On this evaluation session, we as soon as once more see an archive with information that may be studied one after the other to find out whether or not any extra evaluation is required.
Conduct Static and Dynamic Evaluation in ANY.RUN
ANY.RUN is a cloud-based sandbox with superior static and dynamic evaluation capabilities. The service helps you to scan suspicious information and hyperlinks and get the primary outcomes on their risk stage in below 40 seconds. It offers you a real-time overview of the community visitors, registry actions, and processes occurring throughout malware execution, highlighting malicious habits and the techniques, methods, and procedures (TTPs).
ANY.RUN offers you with full management over the VM, making it potential to work together with the digital atmosphere identical to on a regular pc. The sandbox generates complete experiences that characteristic key risk info, together with indicators of compromise (IOCs).
Begin utilizing ANY.RUN right now without cost and revel in limitless malware evaluation in Home windows and Linux VMs.
