Agent mode gives the AI access to a suite of analysis tools that run inside isolated Firecracker microVMs. The agent autonomously selects and chains tools based on your questions and the sample type.
File Info
Extracts comprehensive file metadata including all hash types (MD5, SHA1, SHA256, SHA512, ssdeep, imphash), entropy calculation, file size, and MIME type. This is typically the first tool the agent runs.
YARA Scan
Scans the sample against DECODA’s built-in YARA rulesets and any custom rules you’ve added. Rulesets cover malware families, packer signatures, ransomware indicators, and suspicious API patterns.
Strings Analysis
Extracts printable strings and automatically categorises them into types: URLs, IP addresses, file paths, registry keys, API function names, and more. Supports configurable minimum length.
Terminal Command
Executes shell commands inside the sandbox for ad-hoc analysis. Common commands like hexdump, objdump, readelf, and file are available.
Dangerous commands are blocked: rm -rf /, curl|sh, nc/netcat, sudo, chmod 777, and others. This is enforced at the sandbox level.
Python Code
Runs custom Python scripts with access to analysis libraries. Available packages include:
- pefile — PE header parsing
- lief — Multi-format binary parsing (PE, ELF, Mach-O)
- capstone — Disassembly framework
- oletools — OLE/Office document analysis
- PyCryptodome — Cryptographic operations
- ssdeep — Fuzzy hashing
- flare-floss — String deobfuscation
- yara-python — YARA rule matching
Python module blocking prevents importing subprocess, socket, requests, and ctypes to maintain sandbox isolation.
| Tier | Executions/Session | Max Code Size | Timeout |
|---|
| Free | Not available | — | — |
| Pro | 10 | 10 KB | 60s |
| Max | 25 | 15 KB | 120s |
Ghidra Scripts
22 pre-built Ghidra scripts for binary analysis, running on Ghidra 12.0.1 in headless mode. Available on Pro and Max tiers.
| Script | What It Does |
|---|
| decompile_function | Decompile a specific function by name or address to C-like pseudocode |
| decompile_all | Decompile up to N functions (default: 50), optionally filtering by minimum size |
| find_crypto | Detect cryptographic constants and algorithms (AES, RSA, DES, RC4, SHA, etc.) |
| extract_strings | Context-aware string extraction — shows where strings are referenced in code |
| analyze_imports | List imported functions with optional cross-references and suspicious-only filtering |
| detect_packer | Identify packers/protectors (UPX, Themida, VMProtect, MPRESS, etc.) via entropy and signatures |
| unpack_upx | Attempt UPX unpacking and output the decompressed binary |
| extract_resources | Extract embedded resources (icons, manifests, certificates, data blobs) |
| trace_calls | Trace function call chains from a starting point with configurable depth |
| find_interesting | Heuristic scan for suspicious patterns (anti-debug, injection, persistence, etc.) |
| get_functions | List all functions with size, address, and call count — sortable and filterable |
| generate_iocs | Extract IOCs directly from binary analysis with defanging and confidence filtering |
| get_memory_map | Show memory layout with section entropy and signature detection |
| search_bytes | Search for byte patterns across the binary with context display |
| get_xrefs | Get cross-references to/from a target address or function |
| analyze_control_flow | Generate control flow graphs for functions, showing branches, loops, and conditional paths |
| find_dead_code | Detect unreachable or dead code blocks that may indicate removed functionality or anti-analysis tricks |
| analyze_api_chains | Trace chains of API calls to identify multi-step behaviours (e.g., VirtualAlloc → WriteProcessMemory → CreateRemoteThread) |
| disassemble_at | Disassemble instructions at a specific address with configurable context window |
| read_memory_region | Read raw bytes from a memory region — useful for extracting embedded data or encoded payloads |
| generate_yara | Generate YARA detection rules directly from Ghidra analysis output |
| identify_packer | Identify specific packer versions and configurations through structural analysis |
.NET Analysis
Specialised tools for .NET assemblies using ILSpyCMD 9.1 and monodis. Available on Pro and Max tiers.
| Operation | What It Does |
|---|
| decompile | Full C# decompilation of the assembly |
| decompile_type | Decompile a specific class or type by name |
| disassemble | Raw IL disassembly via monodis |
| disassemble_method | Disassemble a specific method |
| list_types | List all types in the assembly with hierarchy |
| list_methods | List all methods with full signatures |
| list_namespaces | Extract namespace structure |
| extract_metadata | Full metadata extraction (version, references, attributes) |
| detect_obfuscators | Identify ConfuserEx, Dotfuscator, SmartAssembly, .NET Reactor |
| extract_resources | Extract embedded resources |
| extract_rat_configs | Extract configs from known RATs (AsyncRAT, QuasarRAT, AgentTesla, DcRAT) |
| decrypt_strings | Attempt string decryption for common obfuscation patterns |
Cross References
Map function cross-references across the binary. Shows what calls a function and what it calls, helping trace execution flow and identify key routines.
Call Graph
Generate function call graphs showing the relationships between functions. Useful for understanding program structure and identifying central routines.
Crypto Detection
Identify cryptographic algorithms by searching for known constants (S-boxes, round constants, key schedules). Detects AES, DES, RSA, RC4, Blowfish, SHA family, and more.
Python Unpacker
Detect and unpack Python executables built with PyInstaller or py2exe. Uses pyinstxtractor-ng, uncompyle6, and pycdc to recover original Python source code.
Web Search
Real-time threat intelligence enrichment powered by Perplexity’s Sonar model. The agent can search the web during analysis to look up CVE details, malware family documentation, campaign reports, and known indicators.
Example use cases:
- Identifying a malware family from behavioural patterns
- Looking up CVE details referenced in exploit code
- Finding published threat reports about specific indicators
- Checking if observed TTPs match known campaigns
Web Search is available when the platform’s Perplexity API key is configured. Results are treated as untrusted external input — the agent uses them as context but always cross-references with its own analysis findings.
Analysis Skills
On-demand loading of specialised analysis methodologies. When the agent encounters a specific scenario (e.g., a Go binary, a packed sample, or a request for a STIX export), it can load a detailed skill with step-by-step instructions tailored to that task.
Available skills:
| Category | Skills |
|---|
| Analysis | PE deep-dive, Go binary reversing, packed binary unpacking, .NET triage, YARA hunting |
| Techniques | API hashing resolution, C2 configuration extraction, string decryption |
| Reporting | PDF report generation, HTML report generation, STIX 2.1 export |
OLE Analysis
Analyse legacy Office documents and OLE compound files:
| Operation | What It Does |
|---|
| triage | Quick indicators scan via oleid (macros, DDE, suspicious elements) |
| extract_macros | Full VBA macro source code extraction (olevba) |
| analyze_macros | Macro analysis with automatic deobfuscation |
| check_malicious | Heuristic malicious macro detection (mraptor) |
| detect_dde | Find DDE/DDEAUTO formula injection |
| extract_objects | Extract embedded OLE objects |
| extract_rtf_objects | Extract objects from RTF documents (rtfobj) |
PDF Analysis
Inspect PDF structure for malicious content:
| Operation | What It Does |
|---|
| triage | Keyword counting for suspicious elements (/JS, /OpenAction, /AA, /EmbeddedFile) |
| search_javascript | Find and extract JavaScript objects |
| search_openaction | Find auto-execution triggers |
| extract_object | Extract a specific PDF object by ID |
| search_embedded | Find embedded files |
JAR/APK Analysis
Analyse Java archives and Android packages:
| Operation | What It Does |
|---|
| triage | Contents listing + MANIFEST.MF inspection |
| list_classes | List all .class files |
| decompile_cfr | Full decompilation via CFR |
| decompile_jadx | Decompilation with deobfuscation via JADX |
| decompile_class | Decompile a single class |
| disassemble | Bytecode disassembly via javap |
| verify_signature | Verify JAR/APK cryptographic signatures |
Generate IOCs
Extract Indicators of Compromise from the analysis. See the IOC Categories reference for the full list of supported indicator types.
Export formats: JSON, CSV, STIX 2.1
Generate YARA Rule
Create a YARA detection rule based on the sample’s unique characteristics — strings, byte patterns, import patterns, and structural features.
Save Artifact
Save extracted payloads, unpacked binaries, decoded configs, or other analysis artifacts for download. Available on Pro and Max tiers.
| Tier | Artifacts/Session | Max Size |
|---|
| Pro | 5 | 1 MB |
| Max | 20 | 5 MB |
Save Report
Generate a structured threat intelligence report from the current analysis session. Reports can be downloaded in 8 formats including PDF, DOCX, HTML, Markdown, JSON, CSV, XML, and MITRE ATT&CK Navigator layers. See the Reports guide for details on report structure and export formats. 
