DECODA’s analysis router automatically detects uploaded file types using magic bytes, file headers, and structural analysis. Each type is routed to the most effective tools.
Executable Binaries
| Type | Extensions | Detection | Analysis Tools |
|---|
| Native PE | .exe, .dll, .sys, .ocx | MZ header + PE signature | Ghidra (decompilation, disassembly), YARA, strings, Python |
| .NET Assembly | .exe, .dll | BSJB metadata signature, mscoree.dll import | ILSpyCMD (C# decompilation), monodis (IL disassembly), metadata extraction |
| ELF | .elf, .so, .o, no extension | \x7FELF magic | Ghidra, YARA, strings, Python |
| Mach-O | .dylib, .app, no extension | FEEDFACE/FEEDFACF magic | Ghidra, YARA, strings, Python |
| UEFI | .efi | PE with EFI subsystem (10-13) | Ghidra, binwalk, strings |
| Shellcode | .sc, .shellcode, .raw, .bin | No headers + high instruction density (capstone) | Ghidra, capstone disassembly, strings |
| Packed | Any executable | High entropy (>7.5), packer signatures (UPX, Themida, VMProtect, ASPack, MPRESS, .NET Reactor, Enigma, PECompact) | Packer detection, unpacking, then standard tools |
Managed Code
| Type | Extensions | Detection | Analysis Tools |
|---|
| Java JAR | .jar | ZIP with META-INF/MANIFEST.MF or .class files | CFR/JADX decompilation, javap disassembly, signature verification |
| Android APK | .apk | ZIP with AndroidManifest.xml | JADX decompilation, manifest analysis, apktool |
| Android DEX | .dex | dex\n magic (0x6465780A) | JADX decompilation |
Documents
| Type | Extensions | Detection | Analysis Tools |
|---|
| OLE Documents | .doc, .xls, .ppt | D0CF11E0 OLE compound header | oletools (macros, DDE, embedded objects), mraptor |
| OOXML Documents | .docx, .xlsx, .pptx | ZIP with [Content_Types].xml | oletools, zipinfo |
| PDF | .pdf | %PDF header | pdfid (keyword scanning), pdf-parser (object extraction) |
| OneNote | .one, .onetoc2 | E4525C7B magic | Embedded attachment/script extraction |
Email & Messaging
| Type | Extensions | Detection | Analysis Tools |
|---|
| Email (EML) | .eml | RFC 822 mail headers | Header parsing, attachment extraction, phishing indicators |
| Outlook MSG | .msg | OLE with __properties_version1.0 stream | oletools, header parsing, attachment extraction |
Disk Images & Installers
| Type | Extensions | Detection | Analysis Tools |
|---|
| ISO | .iso, .img | ISO 9660 / UDF filesystem header | 7z extraction, content analysis |
| VHD/VHDX | .vhd, .vhdx | conectix / vhdxfile magic | 7z extraction, guestfish |
| MSI | .msi | OLE with _Tables/_StringData streams | msiextract/7z, custom action inspection |
| CHM | .chm | ITSF magic (0x49545346) | Embedded script/ActiveX extraction |
Scripts
| Type | Extensions | Detection | Analysis Tools |
|---|
| PowerShell | .ps1, .psm1, .psd1 | Text detection + content heuristics | String analysis, deobfuscation, regex |
| VBScript | .vbs, .vbe | Text detection | String analysis, deobfuscation |
| JavaScript | .js, .jse | Text detection | String analysis, deobfuscation |
| Batch | .bat, .cmd | Text detection | String analysis |
| Python | .py, .pyc | Text/bytecode detection | pyinstxtractor (packed), uncompyle6, pycdc |
| HTA | .hta | HTA:APPLICATION tag in HTML | Script extraction, ActiveX reference analysis |
Forensic Artifacts
Forensic file types were added in DECODA v2. They enable investigation of Windows event logs, network traffic, and execution evidence.
| Type | Extensions | Detection | Analysis Tools |
|---|
| PCAP/PCAPNG | .pcap, .pcapng, .cap | D4C3B2A1/A1B2C3D4 (PCAP) or 0A0D0D0A (PCAPNG) magic | Python dpkt/scapy for protocol analysis |
| Windows Event Log | .evtx | ElfFile\0 magic (0x456C6646696C6500) | Python python-evtx for event parsing and timeline |
| Registry Hive | NTUSER.DAT, SYSTEM, SOFTWARE, etc. | regf magic (0x72656766) | Python python-registry for hive parsing |
| Prefetch | .pf | MAM compressed header (0x4D414D04) | Python windowsprefetch for execution evidence |
EVTX files begin with ElfFile\0 (0x456C66…) which is distinct from Linux ELF binaries (0x7F454C46). DECODA checks the full 8-byte signature to avoid confusion.
Firmware
| Type | Extensions | Detection | Analysis Tools |
|---|
| UEFI Firmware | .efi, .rom | PE with EFI subsystem values | Ghidra, binwalk |
| Embedded Firmware | .bin, .fw, .img | binwalk heuristics (SquashFS, JFFS2, U-Boot, etc.) | binwalk extraction, Ghidra |
How Detection Works
DECODA uses a multi-stage detection pipeline:
Magic Bytes
The first 4-16 bytes of the file are checked against known signatures (MZ, ELF, PDF, OLE, etc.).
Structural Analysis
For ambiguous types (ZIP-based files, OLE documents), DECODA inspects internal structure to distinguish JAR from OOXML, MSG from OLE, or MSI from Office documents.
Deep Inspection
PE files are checked for .NET metadata (BSJB signature), UEFI subsystems, and packer signatures. Unknown blobs are tested with capstone for shellcode instruction density.
Tool Routing
The detected type determines which tools are recommended, discouraged, and prioritised. This guidance is passed to the AI agent, which makes final tool selection decisions.
- 90-100 — High confidence (multiple strong indicators)
- 70-89 — Good confidence (clear magic bytes, valid structure)
- 50-69 — Medium confidence (partial matches, some ambiguity)
- 0-49 — Low confidence (heuristic guesses)
