Agent mode gives the AI access to a suite of analysis tools that run inside isolated Firecracker microVMs. The agent autonomously selects and chains tools based on your questions and the sample type.
File Info
Extracts comprehensive file metadata including all hash types (MD5, SHA1, SHA256, SHA512, ssdeep, imphash), entropy calculation, file size, and MIME type. This is typically the first tool the agent runs.
YARA Scan
Scans the sample against DECODA’s built-in YARA rulesets and any custom rules you’ve added. Rulesets cover malware families, packer signatures, ransomware indicators, and suspicious API patterns.
Strings Analysis
Extracts printable strings and automatically categorises them into types: URLs, IP addresses, file paths, registry keys, API function names, and more. Supports configurable minimum length.
Terminal Command
Executes shell commands inside the sandbox for ad-hoc analysis. Common commands like hexdump, objdump, readelf, and file are available.
Dangerous commands are blocked: rm -rf /, curl|sh, nc/netcat, sudo, chmod 777, and others. This is enforced at the sandbox level.
Python Code
Runs custom Python scripts with access to analysis libraries. Available packages include:
- pefile — PE header parsing
- lief — Multi-format binary parsing (PE, ELF, Mach-O)
- capstone — Disassembly framework
- oletools — OLE/Office document analysis
- PyCryptodome — Cryptographic operations
- ssdeep — Fuzzy hashing
- flare-floss — String deobfuscation
- yara-python — YARA rule matching
Python module blocking prevents importing subprocess, socket, requests, and ctypes to maintain sandbox isolation.
| Tier | Executions/Session | Max Code Size | Timeout |
|---|
| Free | Not available | — | — |
| Analyst | 10 | 10 KB | 60s |
| Professional | 25 | 15 KB | 120s |
Ghidra Scripts
16 pre-built Ghidra scripts for binary analysis, running on Ghidra 12.0.1 in headless mode. Available on Analyst and Professional tiers.
| Script | What It Does |
|---|
| decompile_function | Decompile a specific function by name or address to C-like pseudocode |
| decompile_all | Decompile up to N functions (default: 50), optionally filtering by minimum size |
| find_crypto | Detect cryptographic constants and algorithms (AES, RSA, DES, RC4, SHA, etc.) |
| extract_strings | Context-aware string extraction — shows where strings are referenced in code |
| analyze_imports | List imported functions with optional cross-references and suspicious-only filtering |
| detect_packer | Identify packers/protectors (UPX, Themida, VMProtect, MPRESS, etc.) via entropy and signatures |
| unpack_upx | Attempt UPX unpacking and output the decompressed binary |
| extract_resources | Extract embedded resources (icons, manifests, certificates, data blobs) |
| trace_calls | Trace function call chains from a starting point with configurable depth |
| find_interesting | Heuristic scan for suspicious patterns (anti-debug, injection, persistence, etc.) |
| get_functions | List all functions with size, address, and call count — sortable and filterable |
| generate_iocs | Extract IOCs directly from binary analysis with defanging and confidence filtering |
| get_memory_map | Show memory layout with section entropy and signature detection |
| search_bytes | Search for byte patterns across the binary with context display |
| get_xrefs | Get cross-references to/from a target address or function |
.NET Analysis
Specialised tools for .NET assemblies using ILSpyCMD 9.1 and monodis:
| Operation | What It Does |
|---|
| decompile | Full C# decompilation of the assembly |
| decompile_type | Decompile a specific class or type by name |
| disassemble | Raw IL disassembly via monodis |
| disassemble_method | Disassemble a specific method |
| list_types | List all types in the assembly with hierarchy |
| list_methods | List all methods with full signatures |
| list_namespaces | Extract namespace structure |
| extract_metadata | Full metadata extraction (version, references, attributes) |
| detect_obfuscators | Identify ConfuserEx, Dotfuscator, SmartAssembly, .NET Reactor |
| extract_resources | Extract embedded resources |
| extract_rat_configs | Extract configs from known RATs (AsyncRAT, QuasarRAT, AgentTesla, DcRAT) |
| decrypt_strings | Attempt string decryption for common obfuscation patterns |
Cross References
Map function cross-references across the binary. Shows what calls a function and what it calls, helping trace execution flow and identify key routines.
Call Graph
Generate function call graphs showing the relationships between functions. Useful for understanding program structure and identifying central routines.
Crypto Detection
Identify cryptographic algorithms by searching for known constants (S-boxes, round constants, key schedules). Detects AES, DES, RSA, RC4, Blowfish, SHA family, and more.
Python Unpacker
Detect and unpack Python executables built with PyInstaller or py2exe. Uses pyinstxtractor-ng, uncompyle6, and pycdc to recover original Python source code.
OLE Analysis
Analyse legacy Office documents and OLE compound files:
| Operation | What It Does |
|---|
| triage | Quick indicators scan via oleid (macros, DDE, suspicious elements) |
| extract_macros | Full VBA macro source code extraction (olevba) |
| analyze_macros | Macro analysis with automatic deobfuscation |
| check_malicious | Heuristic malicious macro detection (mraptor) |
| detect_dde | Find DDE/DDEAUTO formula injection |
| extract_objects | Extract embedded OLE objects |
| extract_rtf_objects | Extract objects from RTF documents (rtfobj) |
PDF Analysis
Inspect PDF structure for malicious content:
| Operation | What It Does |
|---|
| triage | Keyword counting for suspicious elements (/JS, /OpenAction, /AA, /EmbeddedFile) |
| search_javascript | Find and extract JavaScript objects |
| search_openaction | Find auto-execution triggers |
| extract_object | Extract a specific PDF object by ID |
| search_embedded | Find embedded files |
JAR/APK Analysis
Analyse Java archives and Android packages:
| Operation | What It Does |
|---|
| triage | Contents listing + MANIFEST.MF inspection |
| list_classes | List all .class files |
| decompile_cfr | Full decompilation via CFR |
| decompile_jadx | Decompilation with deobfuscation via JADX |
| decompile_class | Decompile a single class |
| disassemble | Bytecode disassembly via javap |
| verify_signature | Verify JAR/APK cryptographic signatures |
Generate IOCs
Extract Indicators of Compromise from the analysis. See the IOC Categories reference for the full list of supported indicator types.
Export formats: JSON, CSV, STIX 2.1
Generate YARA Rule
Create a YARA detection rule based on the sample’s unique characteristics — strings, byte patterns, import patterns, and structural features.
Save Artifact
Save extracted payloads, unpacked binaries, decoded configs, or other analysis artifacts for download. Available on Analyst and Professional tiers.
| Tier | Artifacts/Session | Max Size |
|---|
| Analyst | 5 | 1 MB |
| Professional | 20 | 5 MB |
Save Report
Generate a structured threat intelligence report from the current analysis session. See the Reports guide for details on report structure and export formats. 
