Skip to main content
Every file uploaded to DECODA goes through an automated triage pipeline before you ask a single question. This gives you an immediate baseline of intelligence to work from.

Pipeline Stages

The triage runs asynchronously and you’ll see real-time progress updates in the chat as each stage completes.
1

File Extraction

If the upload is an archive (ZIP, RAR, etc.), DECODA extracts the contents. Zip bomb detection is built in to prevent decompression attacks.
2

Hashing

The file is hashed using five algorithms:
  • MD5 - Legacy identifier, still widely used in threat intel feeds
  • SHA1 - Common in older detection systems
  • SHA256 - Primary identifier for deduplication and lookup
  • ssdeep - Fuzzy hash for finding similar samples
  • imphash - Import hash for PE files, useful for clustering malware families
3

YARA Scanning

The sample is scanned against DECODA’s built-in YARA rulesets covering:
  • Known malware families
  • Packer and protector signatures
  • Ransomware indicators
  • Suspicious API patterns
If you’ve added custom YARA rules in your settings, those are applied here too.
4

VirusTotal Lookup

The SHA256 hash is checked against VirusTotal’s database. If there’s a match, you’ll see:
  • Detection ratio (e.g., 45/72 engines detected)
  • Engine-specific labels
  • First and last seen dates
By default, DECODA uses its own platform API key. If you have a paid VirusTotal subscription, you can add your own key in settings for higher rate limits.
5

Binary Classification

DECODA identifies the file type and classifies it into one of 27 categories:
TypeDescription
native-peNative Windows PE (C/C++, Delphi, Rust, etc.)
dotnet.NET assembly (IL bytecode)
elfLinux ELF binary
machomacOS Mach-O binary
uefiUEFI firmware binary (EFI application/driver)
shellcodeRaw shellcode blob
java-jarJava JAR archive
apkAndroid APK/DEX file
office-oleLegacy Office format with OLE streams
office-ooxmlModern Office format (docx, xlsx, pptx)
pdfPDF document
onenoteOneNote file with embedded attachments
scriptScripts (PowerShell, VBScript, JavaScript, batch, Python)
lnkWindows shortcut file
htaHTML Application file
chmCompiled HTML Help file
emailEmail file (.eml/.msg)
isoISO/IMG disk image
vhdVHD/VHDX virtual disk image
msiWindows Installer package
firmwareEmbedded firmware (router, IoT)
pcapPCAP/PCAPNG network capture
evtxWindows Event Log file
registryWindows Registry hive file
prefetchWindows Prefetch file
packedPacked/protected binary (UPX, Themida, etc.)
unknownUnrecognised format
6

PE Metadata Extraction

For PE files (both native and .NET), additional metadata is extracted:
  • Compilation timestamp - When the binary was compiled (can be faked but often useful)
  • Entry point address - Where execution begins
  • Section table - Names, sizes, and entropy of each section
  • Security flags - ASLR, DEP, SEH, CFG, and other protection mechanisms

Reading the Triage Card

Once triage completes, a summary card appears in your chat. Here’s what each section means:

Hashes

All five hash values for the sample. Use the SHA256 to search other threat intel platforms, or the imphash to find related samples.

YARA Matches

Each match shows the rule name and the ruleset it came from. Multiple matches from different rulesets increase confidence in a classification.

VirusTotal Results

The detection ratio tells you how many AV engines flagged the file. A high ratio (30+/70) is a strong signal. A low ratio (1-5/70) may indicate a false positive or a very new sample.
A clean VirusTotal result does not mean the file is safe. New or targeted malware may have zero detections. Always combine VT results with other analysis.

File Classification

The detected type determines which Agent mode tools are most relevant. For example, .NET samples unlock the .NET decompiler tools, while Office documents enable OLE analysis.

Sample Deduplication

DECODA deduplicates samples by SHA256. If you upload a file that’s already been analysed by your account, the existing triage data is reused instantly rather than re-running the pipeline.

Custom YARA Rules

You can add your own YARA rules in settings under the YARA Rules section. Custom rules are applied alongside the built-in rulesets during triage and are also available to the Agent for on-demand scanning.