Runtime sandbox execution · YARA signatures · AST structural analysis · External link detection · Blocked execution scoring
1. Signature Scan — Checked against a library of known malware patterns, obfuscators, and real-world attack techniques including Dean Edwards packer, cookie exfiltration, ActiveX exploits, RC4 encryption, prototype pollution, and control-flow flattening.
2. Structure Analysis — Examines the code structure for suspicious patterns like heavily disguised variable names, hidden strings, and unusual logic flows. Catches what regex alone cannot.
3. Live Execution — The code is actually executed in a fully isolated environment with no internet access. Intercepts: eval, fetch, XHR, WebSocket, atob/btoa, document.cookie, localStorage, location redirects, pixel trackers, clipboard, crypto API, Worker threads, DOM injection, innerHTML XSS, createElement, postMessage, IndexedDB, fingerprinting probes, and timing attacks.
4. External Links — All URLs found in the code are extracted and listed for manual verification. This analyzer does not access external URLs.
5. Scoring v3 — Sandbox carries 75% weight; YARA 12%, AST 13%. Large codebases have static scores normalised to reduce false positives. Blocked execution adds up to +30 pts as a strong danger signal.