Active File Decomposition


ReversingLabs Active File Decomposition (AFD) software automates and accelerates threat detection and analysis of files. This unique technology performs high-speed, static analysis to unpack files, extract internal indicators and assign a threat level. Files are not executed so processing can be accomplished in milliseconds obtaining faster results and broader coverage than is possible with dynamic solutions. AFD supports APIs for integration with automated workflows, services and products.

  • Manual Static Analysis

    • Hours / file
    • Tool intensive – disassemblers
    • Advanced expertise required
    • Time wasted on repetitive sample unpacking and indicator extraction tasks
  • Active File Decomposition

    • Milliseconds / file
    • Pre-Execution analysis
    • Identifies over 3500 format families
    • Complete file analysis
    • Comprehensive (3K+ Indicators)
    • Windows, Linux, Mobile, Documents...
    • Cloud assisted Classification
    • Advanced Rules
    • YARA & Third Party module support
  • Dynamic Analysis

    • Minutes / file
    • Sample controls the analysis
    • Easy evasion by malware
    • Incomplete view of capabilities
    • Limited file types
    • Only control flow examined

Here's how it works

Active File Decomposition (AFD) combines an array of automated analysis technologies for a ground-breaking solution for detecting and analyzing threats within files. This new innovative approach starts with the industry's fastest and most advanced automated static analysis engine to identify, de-archive, de-obfuscate and unpack the underlying object structure (e.g. embedded executables, libraries, documents, resources, icons) and extract over 3000 Proactive Threat Indicators (PTIs) from the unpacked files. An integrated rules engine classifies the results to calculate the threat level and to route the extracted files for further analysis. The extracted files are repaired to enable further extraction or analysis with a sandbox, de-compiler or debugger. The Proactive Threat Indicators can be stored in a database for subsequent data correlation. This valuable information can then aid practitioners in determining the capabilities and intent of an adversary.

AFD Schema

Active File Decomposition recursively unpacks files, extracts 3K+ threat indicators and calculates threat level in milliseconds.

AFD, unlike dynamic analysis, does not execute the file but rather extracts all available compressed and obfuscated data from files and fragments whether executable or not, and whether damaged or not. AFD can screen and pre-process samples to make analysts and traditional analysis tools and automation work flows significantly more efficient and effective. Since the samples are not executed, the process can identify and decompose files of any type in milliseconds regardless of their target OS or platform. It thus overcomes shortcomings of dynamic analysis techniques while not being subject to traditional virtualization and dynamic analysis evasion techniques. Since AFD is extremely lightweight it can easily scale to process hundreds of thousands of files daily in real time.

Find out about our RHA technology