Malware detonation sandbox | Use#

After configuring malware vendors, you can send file and URLs for detonation.

Size limit

You cannot upload files that exceed 15MB in size.

Set up a detonation#

  1. From the left sidebar, select Malware Sandbox.

  2. In the pane that opens, select + Create.

  3. Select either File or URL.

    • If you selected File, drag your file onto the upload box to upload it.
      If the file is password protected, check the Password protected box and enter the Password.

    • If you selected URL, enter the URL you’d like to detonate.

  4. Under Configure detonation details, select the Vendor you’d like to have carry out this detonation.

  5. Check the box to accept the vendor’s terms and conditions and to consent to the payload being shared with the vendor.

  6. Select Submit.

Once the detonation has been carried out, you can open the report by selecting it from the Malware Sandbox page.

Detonation results#

A successful detonation will result in one of the following verdicts:

  • Malicious The payload was found to contain malware or otherwise malicious code.
    If the vendor has supplied an analysis, it will detail the threat contained in the payload.

  • Unknown The maliciousness of the payload could not be ascertained.
    Although no malicious code was found, proceed with caution. The file or URL might still cause harm.

  • Safe The payload was not found to contain any malicious code. According to the vendor that carried out the detonation, the file or URL can be opened, ran, or visited without direct adverse consequences.

Extract intelligence.#

The detonation may have resulted in information that can be extracted as cyber threat intelligence.

To extract this intelligence:

  1. From the left sidebar, select Malware Sandbox.

  2. Select the detonation you would like to extract the intelligence from.

  3. On the Detonation report tab, select Extract intelligence. A Report entity is now created to represent the detonation. All extracted intelligence objects will be linked to this Report entity.

  4. (Optional) On the Extracted data modal that opens, toggle the Hide known intelligence switch to hide intelligence found in the report that is already present in your platform.

  5. Check the box of all the intelligence objects you’d like to have created in your platform.
    You can change their type by using the drop-down menu in their row if you’d like.

  6. (Optional) Select the Settings in the top-right corner to change the Source and TLP of the Entities to be created, to Add Tags to Entities, or set a Maliciousness for the Observables about to be created.

  7. Select Create to have the selected intelligence objects be created in your platform.

Download detonation report

To download the detonation report in either JSON or HTML for easy sharing, use the Download button.