Contents
File analysis
This section explains how you can submit files for execution in a safe environment that is isolated from your corporate network. Also, the file analysis results available in Kaspersky Threat Intelligence Portal are described.
Submitting files
By submitting a file to Kaspersky Threat Intelligence Portal, you agree to our Terms of Use and the Privacy Statement.
Before executing a file in Kaspersky Threat Intelligence Portal, you have to upload it.
To submit a file to Kaspersky Threat Intelligence Portal:
- Open Kaspersky Threat Intelligence Portal at: https://opentip.kaspersky.com.
- In the Analysis (
) section, on the File Analysis tab, select a file that you want to execute, by doing one of the following:- Click the Add file button, and then select the required file in the window that opens.
- Drag and drop the required file to the drop zone.
When the file is selected, its file name and size are displayed.
The maximum size of a file that can be uploaded and analyzed is 256 MB. If the size of a file exceeds 256 MB, Kaspersky Threat Intelligence Portal displays a corresponding error message.
The file must not be empty.
The drop zone is also available if you select the Requests (
) item in the main menu. - If you want to obtain a dynamic analysis report, select the Get a full dynamic analysis report check box. Selecting this check box is required, if you plan to obtain a full report for the file using API.
- If you want to analyze the file privately, select the Private submission check box.
Kaspersky Threat Intelligence Portal allows you to submit objects for analysis privately. Private request results are not displayed on the Public requests tab in the Requests section. For registered users, their private request results are available on the My requests tab.
However, if an object that you submitted privately was ever submitted publicly by you or another user, then the object analysis results will be added to the Public requests tab and will be available to all Kaspersky Threat Intelligence Portal users.
Also, if you submit a file for the analysis privately, its hash is not included in the list of public requests, but the Sandbox analysis results will be available to all users who search for the hash of this file.
- If necessary, you can cancel the selected file upload by clicking the trash can icon (
). - Click the Analyze button.
File analysis may take up to three minutes. The results are displayed as they become available and can be viewed on the Public requests tab, or on the My requests tab if you submitted the file privately.
If a file was already submitted by another Kaspersky Threat Intelligence Portal user during the past hour, the corresponding execution results will be displayed without starting file analysis, regardless of your exceeded quota and report limits.
Submitted files are executed according to the parameters described in the table below:
File execution parameters
Parameter |
Value |
Comments |
|---|---|---|
Execution environment |
Microsoft Windows 7 x64 |
Operating system where the file is executed. |
Execution time |
100 seconds |
The uploaded file will only be executed in the environment. This process takes 100 seconds. The specified time does not include the time required for file analysis and displaying the results. |
File type |
Automatically defined by Kaspersky Threat Intelligence Portal |
If you submit a or a Portable Document Format file (.PDF), Kaspersky Threat Intelligence Portal attempts to close this file during the analysis (after 50 seconds). If the file of a different format name ends with one of these extensions, Kaspersky Threat Intelligence Portal attempts to close it.If you submit a .zip archive, Kaspersky Threat Intelligence Portal attempts to unzip it before execution. An archive can be successfully unzipped if it contains only one file and is not password protected (or if it is protected by a standard password: If unzipping fails, the file is executed as an archive. |
HTTPS traffic |
Decrypted |
HTTPS traffic that is generated by the object during execution is decrypted. |
Internet channel |
Auto |
Automatically selected Internet channel that belongs to any region and does not direct traffic through the TOR network. |
Report for analyzed files
After file execution, available analysis results are displayed on the report page.
In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the file is displayed. You can use a desktop version to view the full report.
Depending on the executed file's zone, the MD5 hash and status of the executed file (Malware, Adware and other, Clean, or No threats detected) are displayed on the Report for hash panel in one of the following colors:
- Red—The executed file can be classified as Malware.
- Green—The executed file has a Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.
- Yellow—The executed file is classified as Adware and other (Adware, Pornware, and other programs).
The panel displays the color as soon as file execution completes. Also, the Submit to reanalyze button appears. You can submit the file to Kaspersky experts for analysis result re-validation.
The report page contains the following:
- Overview—Displays general information about the analyzed file.
- Detection names—Displays information about detects related to the analyzed file and that were previously reported in Kaspersky statistics.
- Dynamic analysis summary—Displays the last file scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected during file execution.
- Results tab—Displays information about dynamic analysis detects and network rules triggered during analysis of traffic from the executed file. For registered users, execution map, information about suspicious activities, and screenshots are also available.
- Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
- Sections that are available for registered users:
- System activities tab—Displays information about activities that were registered during the file execution.
- Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
- Network activities tab—Displays information about network activities that were registered during the file execution.
- Premium content—Displays sections that contain blurred data about the executed file. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
Overview
Kaspersky Threat Intelligence Portal provides the following general information about analyzed files:
General information about files
Field name |
Description |
|---|---|
Hits |
Number of hits (popularity) of the analyzed file hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
First seen |
Date and time when the analyzed file hash was first detected by Kaspersky expert systems. |
Last seen |
Date and time when the analyzed file hash was last detected by Kaspersky expert systems for the last time. |
Format |
Analyzed file type. |
Size |
Analyzed file size. |
Signed by |
Organization that signed the file hash. |
Packed by |
Packer name (if any). |
MD5 |
MD5 hash of the analyzed file. |
SHA1 |
SHA1 hash of the analyzed file. |
SHA256 |
SHA256 hash of the analyzed file. |
Detection names
Kaspersky Threat Intelligence Portal provides the following information about detects related to the analyzed file and previously reported in Kaspersky statistics:
- Color of the zone that the detect belongs to (red or yellow).
- Date and time when the detect was last detected by Kaspersky expert systems.
- Name of the detect. You can click any entry to view its description on the Kaspersky threats website.
Dynamic analysis summary
Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during file execution:
Dynamic analysis summary for a file
Chart name |
Description |
|---|---|
Detects |
The total number of objects that were detected during file execution and the proportion of objects with Malware (red) or Adware and other (yellow) statuses. |
Suspicious activities |
The total number of suspicious activities registered during file execution and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels. |
Extracted files |
The total number of files that were downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to categorize them, in grey). |
Network activities |
The total number of registered network interactions that the file performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). |
Results tab
Kaspersky Threat Intelligence Portal provides information about detected items and activities that were registered during the file execution. For registered users, execution map, information about suspicious activities, and screenshots are also available.
Dynamic analysis detects
Detects that were registered during the file execution.
Dynamic analysis detects
Field name |
Description |
|---|---|
Status |
Danger zone (level) associated with the detect (Malware or Adware and other). |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website. |
Triggered network rules
SNORT and Suricata rules that were triggered during analysis of traffic from the executed file.
Triggered network rules
Field name |
Description |
|---|---|
Zone |
Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Rule |
SNORT or Suricata rule name. |
Execution map
Graphically represented sequence of the file activities and relationships between them.
Execution map is available only for registered users.
The root node of the tree represents the executed file. Each tree element is marked according to its danger level (High, Medium, or Low). You can click a tree element to view detailed information. You can also zoom the execution map by scrolling the map area.
Suspicious activities
Suspicious activities registered during the file execution.
This section is available only for registered users.
Suspicious activities
Field name |
Description |
|---|---|
Zone |
Danger zone (level) of the registered activity (High, Medium, Low). |
Severity |
Numerical value of the danger level of the registered activity (integer 1–999). |
Description |
Activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK threat classification. For example, "MITRE: T1082 System Information Discovery." |
Screenshots
Set of screenshots that were taken during the file execution.
Screenshots are available only for registered users.
Page topStatic analysis tab
Kaspersky Threat Intelligence Portal provides PE information and information about extracted strings.
PE information
This section displays information about the structure of the executed file in Portable Executable (PE) format, if this information is available.
PE information
Table name |
Parameters |
|---|---|
Sections |
Name—File section name. Virtual size—Section size. Virtual address—Section's relative virtual address (RVA). Raw size—Section size in the file. |
Export information |
Name—Name of the file. Ordinal—Sequence number of the exported element. RVA—RVA of the exported element. Name—Name of the exported element. |
Import information |
Library—Name of the imported library (.dll). Function—Function name. Ordinal—Sequence number of the imported element. |
Debug information |
Time stamp—Date and time when the debug information was created. Type—Type of the debug information. |
Extracted strings
This section displays information about strings that were extracted during the file execution.
Extracted strings
Parameter |
Description |
|---|---|
Line |
Extracted string (the first 1000 characters). |
Encoding |
List of encodings (UTF-8, UTF-16BE, UTF-16LE, ASCII). |
System activities tab
Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution.
This tab is available only for registered users.
Loaded PE images
Loaded PE images that were detected during the file execution.
Loaded PE images
Field name |
Description |
|---|---|
Path |
Full path to the loaded PE image. |
Size |
Size of the loaded PE image in bytes. |
File operations
File operations that were registered during the file execution.
File operations
Field name |
Description |
|---|---|
Operation |
Operation name. |
Name |
Path and name of the file. |
Size |
Size of the file in bytes. |
Registry operations
Operations performed on the operating system registry that were detected during the file execution. Operations that have led to suspicious activities are shown first.
Registry operations
Field name |
Description |
|---|---|
Operation |
Operation name. |
Details |
Operation attributes. |
Process operations
Interactions of the file with various processes that were registered during the file execution.
Process operations
Field name |
Description |
|---|---|
Interaction type |
Type of interaction between the executed file and a process. |
Process name |
Name of the process that interacted with the executed file. |
Synchronize operations
Operations of created synchronization objects (mutual exclusions (mutexes), semaphores, and events) that were registered during the file execution.
Synchronize operations
Field name |
Description |
|---|---|
Type |
Type of the created synchronization object. |
Name |
Name of the created synchronization object. |
Extracted files tab
Kaspersky Threat Intelligence Portal provides information about files that were extracted from network traffic or saved by the executed file during the execution.
This tab is available only for registered users.
Transferred files
Files that were extracted from network traffic during the file execution.
Transferred files
Field name |
Description |
|---|---|
Status |
Status of the transferred file (Clean, Adware and other, Malware, Not categorized). |
MD5 |
MD5 hash of the transferred file. |
Traffic |
Traffic that the transferred file was extracted from (HTTP or HTTPS). |
Detection name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website. |
Dropped files
Files that were saved or changed by the executed file in the operating system.
Dropped files
Field name |
Description |
|---|---|
Status |
Status of the downloaded file (Clean, Adware and other, Malware, Not categorized). |
MD5 |
MD5 hash of the downloaded file. |
Detection name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click an item to view its description at Kaspersky threats website. |
File name |
File name of the dropped file. |
Network activities tab
Kaspersky Threat Intelligence Portal provides information about network activities that were registered during the file execution.
This tab is available only for registered users.
DNS requests
DNS sessions that were registered during file execution.
DNS requests
Field name |
Description |
|---|---|
Status |
Status of an object in the DNS request. |
Type |
DNS request type. |
Response |
Contents of the DNS response. Each item is clickable, and navigates to investigation results on the Lookup tab. |
HTTP(S) requests
HTTP and HTTPS requests that were registered during the file execution.
HTTP(S) requests
Field name |
Description |
|---|---|
Status |
Status of a web address in the HTTP(S) request. The web address can belong to one of the following zones: Dangerous (there are malicious objects related to the web address). Adware and other (there are objects related to the web address and that can be classified as not-a-virus). Good (the web address is not malicious). Not categorized (no or not enough information about the web address is available to define the category). |
Web address |
Web address to which the request was registered. |
Method |
Method of sending an HTTP(S) request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. |
Scheme |
Web address scheme that identifies the protocol which was used (HTTP or HTTPS). |
Response code |
Response code of the HTTP(S) request. |
Response length |
Size of the response to the HTTP(S) request (in bytes). |
Fields |
Additional fields (Request headers and Response headers) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the submitted file, if available, to users with Premium Access.
Signatures and certificates tab
Information about file signatures and certificates
Table name |
Description |
Table fields |
|---|---|---|
File signatures and certificates |
Information about signatures and certificates of the submitted file. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Container signatures and certificates |
Information about signatures and certificates of the container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Paths tab
Information about file paths
Table name |
Description |
Table fields |
|---|---|---|
File paths |
Known paths to the file on computers using Kaspersky software. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the submitted file on user computers. Location—Root folder or drive where the submitted file is located on user computers. |
Names tab
Information about file names
Table name |
Description |
Table fields |
|---|---|---|
File names |
Known names of the file on computers using Kaspersky software. |
Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the submitted file. |
Downloads tab
Information about web addresses from which the file was downloaded
Table name |
Description |
Table fields |
|---|---|---|
File downloaded from web addresses and domains |
Web addresses and domains from which the file was downloaded. |
Status—Status of web addresses or domains used to download the submitted file. Web address—Web addresses used to download the submitted file. Last downloaded—Date and time when the submitted file was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the submitted file. IP count—Number of IP addresses that the domain resolves to. |
Web addresses tab
Information about web addresses
Table name |
Description |
Table fields |
|---|---|---|
File accessed the following web addresses |
Web addresses accessed by the submitted file. |
Status—Status of accessed web addresses. Web address—Web addresses accessed by the submitted file. Last accessed—Date and time when the submitted file last accessed the web address. Domain—Upper domain of the web address accessed by the submitted file. IP count—Number of IP addresses that the domain resolves to. |
Started objects tab
Information about started objects
Table name |
Description |
Table fields |
|---|---|---|
File started the following objects |
Objects started by the submitted file. |
Status—Status of started objects. Hits—Number of times the submitted file started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was started by the following objects |
Objects that started the submitted file. |
Status—Status of objects that started the submitted file. Hits—Number of times the submitted file was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the submitted file. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the submitted file. Last started—Date and time when the submitted file was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Downloaded objects tab
Information about downloaded objects
Table name |
Description |
Table fields |
|---|---|---|
File downloaded the following objects |
Objects downloaded by the submitted file. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was downloaded by the following objects |
Objects that downloaded the submitted file. |
Status—Status of objects that downloaded the submitted file. Hits—Number of times the submitted file was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the submitted file. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the submitted file. Path—Path to the object on user computers. Last downloaded—Date and time when the submitted file was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Automatically detected file types
Kaspersky Threat Intelligence Portal attempts to automatically detect the type of a file to be executed.
Possible file types are provided below. The list of file types can be modified during a component update.
- Microsoft Word document
- Microsoft Word Open XML Macro-Enabled document
- Microsoft Word Open XML Format document
- Microsoft Word file template
- Microsoft Word Open XML document template
- Java Archive file
- JavaScript file
- Fichier Encoded JavaScript
- Shortcut file used by Microsoft Windows to point to an executable file
- Microsoft Windows Installer Package
- Adobe Portable Document Format
- Portable Executable format for executable for 64-bit operating systems
- Portable Executable format for Control Panel files for 64-bit operating systems
- Portable Executable format for dynamic-link libraries (DLL) for 64-bit operating systems
- Portable Executable format for executable for 64-bit operating systems
- Portable Executable format for services for 64-bit operating systems
- Portable Executable format for executable for MS-DOS and Windows operating systems
- Portable Executable format for Control Panel files
- Portable Executable format for Dynamic-link libraries (DLL)
- Portable Executable format for executable for MS-DOS and Windows operating systems
- Portable Executable format for services
- Microsoft PowerPoint Open XML Macro-Enabled presentation template
- Microsoft PowerPoint Open XML presentation template
- Add-in file used by Microsoft PowerPoint
- Microsoft PowerPoint Open XML Macro-Enabled slide show
- Microsoft PowerPoint Open XML slide show
- Microsoft PowerPoint presentation
- Microsoft PowerPoint Open XML Macro-Enabled presentation
- Microsoft PowerPoint Open XML Presentation
- Microsoft Publisher document
- Rich Text Format file
- Shockwave Flash Movie file
- VBScript Encoded Script file
- VBScript file
- Microsoft Visio Drawing
- Windows Script file
- Microsoft Excel Open XML Macro-Enabled Add-In
- Microsoft Excel Spreadsheet
- Microsoft Excel Binary Spreadsheet
- Microsoft Excel Open XML Macro-Enabled Spreadsheet
- Microsoft Excel Open XML Spreadsheet
- Microsoft Excel Open XML Macro-Enabled Spreadsheet Template
- Microsoft Excel Open XML Spreadsheet Template