Skip to main content
Every file uploaded to DECODA goes through an automated triage pipeline before you ask a single question. This gives you an immediate baseline of intelligence to work from.

Pipeline Stages

The triage runs asynchronously and you’ll see real-time progress updates in the chat as each stage completes.
1

File Extraction

If the upload is an archive (ZIP, RAR, etc.), DECODA extracts the contents. Zip bomb detection is built in to prevent decompression attacks.
2

Hashing

The file is hashed using five algorithms:
  • MD5 - Legacy identifier, still widely used in threat intel feeds
  • SHA1 - Common in older detection systems
  • SHA256 - Primary identifier for deduplication and lookup
  • ssdeep - Fuzzy hash for finding similar samples
  • imphash - Import hash for PE files, useful for clustering malware families
3

YARA Scanning

The sample is scanned against DECODA’s built-in YARA rulesets covering:
  • Known malware families
  • Packer and protector signatures
  • Ransomware indicators
  • Suspicious API patterns
If you’ve added custom YARA rules in your settings, those are applied here too.
4

VirusTotal Lookup

The SHA256 hash is checked against VirusTotal’s database. If there’s a match, you’ll see:
  • Detection ratio (e.g., 45/72 engines detected)
  • Engine-specific labels
  • First and last seen dates
By default, DECODA uses its own platform API key. If you have a paid VirusTotal subscription, you can add your own key in settings for higher rate limits.
5

Binary Classification

DECODA identifies the file type and classifies it into one of these categories:
TypeDescription
native-peNative Windows PE (C/C++, Delphi, etc.)
dotnet.NET assembly
elfLinux ELF binary
machomacOS Mach-O binary
office-oleLegacy Office format with OLE streams
office-ooxmlModern Office format (docx, xlsx, pptx)
pdfPDF document
scriptScripts (PowerShell, VBScript, JavaScript, batch)
java-jarJava JAR archive
packedPacked/protected binary (UPX, Themida, etc.)
unknownUnrecognised format
6

PE Metadata Extraction

For PE files (both native and .NET), additional metadata is extracted:
  • Compilation timestamp - When the binary was compiled (can be faked but often useful)
  • Entry point address - Where execution begins
  • Section table - Names, sizes, and entropy of each section
  • Security flags - ASLR, DEP, SEH, CFG, and other protection mechanisms

Reading the Triage Card

Once triage completes, a summary card appears in your chat. Here’s what each section means:

Hashes

All five hash values for the sample. Use the SHA256 to search other threat intel platforms, or the imphash to find related samples.

YARA Matches

Each match shows the rule name and the ruleset it came from. Multiple matches from different rulesets increase confidence in a classification.

VirusTotal Results

The detection ratio tells you how many AV engines flagged the file. A high ratio (30+/70) is a strong signal. A low ratio (1-5/70) may indicate a false positive or a very new sample.
A clean VirusTotal result does not mean the file is safe. New or targeted malware may have zero detections. Always combine VT results with other analysis.

File Classification

The detected type determines which Agent mode tools are most relevant. For example, .NET samples unlock the .NET decompiler tools, while Office documents enable OLE analysis.

Sample Deduplication

DECODA deduplicates samples by SHA256. If you upload a file that’s already been analysed by your account, the existing triage data is reused instantly rather than re-running the pipeline.

Custom YARA Rules

You can add your own YARA rules in settings under the YARA Rules section. Custom rules are applied alongside the built-in rulesets during triage and are also available to the Agent for on-demand scanning.