File Analysis Approaches
ReversingLabs products use three complementary approaches to file analysis, each with different speed, depth, and infrastructure requirements. Understanding these helps teams design efficient security pipelines.
Hash reputation lookup
A hash reputation lookup sends a file's cryptographic hash (MD5, SHA1, or SHA256) to a threat intelligence service and retrieves a pre-computed verdict. No file content is transmitted.
How it works: The hash is compared against a database of previously analyzed files. If a match is found, the stored verdict and analysis report are returned immediately. If no match exists, the service returns an unknown result.
Speed: Milliseconds — network round-trip only.
Depth: Limited to files previously seen and analyzed. Unknown or new files return no verdict.
Used in: Spectra Intelligence TCA-0101 File Reputation API, File Inspection Engine with --with-threat-details option.
Best for: High-volume triage of common file types, enriching security alerts with known-bad indicators, first-pass filtering before deeper analysis.
Full static analysis
Full static analysis submits a file for deep inspection: unpacking, format parsing, indicator extraction, and classification scoring — all without executing the file.
How it works: Spectra Core recursively unpacks containers and archives, parses over 400 file formats, extracts metadata and behavioral indicators, and assigns a risk score. The result includes a detailed report with MITRE ATT&CK mappings.
Speed: Seconds per file for most formats; up to minutes for complex nested archives.
Depth: Comprehensive structural and indicator analysis. Detects obfuscation, packed payloads, embedded threats, and known malware patterns.
Used in: All ReversingLabs products. Spectra Detect and File Inspection Engine use static analysis for inline scanning. Spectra Analyze and Spectra Intelligence provide full static analysis reports via API.
Best for: Thorough triage, compliance scanning, detecting embedded malware in archives, building threat intelligence on new samples.
Sandbox execution (dynamic analysis)
Sandbox execution runs a file in an isolated virtual environment and records its behavior: network connections, file system changes, registry modifications, and process activity.
How it works: The file is executed in a controlled OS environment. All system calls and network activity are monitored and logged. Results include behavioral indicators, network IOCs, and dropped files.
Speed: Minutes per sample (execution time plus analysis).
Depth: Reveals runtime behavior invisible to static analysis — including C2 communication, in-memory decryption, and sandbox-aware code paths.
Used in: Spectra Analyze supports sandbox integration for behavioral analysis of samples flagged during static analysis.
Best for: Deep investigation of suspicious or unknown samples, hunting for C2 infrastructure, analyzing evasive or obfuscated malware.
Comparison
| Hash Lookup | Static Analysis | Sandbox Execution | |
|---|---|---|---|
| Speed | Milliseconds | Seconds | Minutes |
| Throughput | Billions/day | Millions/day | Hundreds/day |
| File transmitted | No (hash only) | Yes | Yes |
| Works on new files | No | Yes | Yes |
| Behavioral indicators | No | Limited | Yes |
| Network IOCs | From stored data | Limited | Yes |
| Infrastructure | Cloud API | On-prem or cloud | On-prem sandbox |
Choosing the right approach
Use these approaches in combination for efficient security pipelines:
- Hash lookup first — Instantly resolve known-good and known-bad files using Spectra Intelligence. Skip deeper analysis for confirmed verdicts.
- Static analysis for unknowns — Submit files with unknown hashes for Spectra Core analysis. Catches new malware variants and embedded threats that hash lookup misses.
- Sandbox for high-priority unknowns — Route suspicious static analysis results to sandbox execution in Spectra Analyze for behavioral confirmation.
Key takeaways
- Hash lookup is fastest but only works for previously seen files
- Static analysis provides deep coverage without execution risk and scales well
- Sandbox execution adds behavioral depth for evasive or unknown threats
- ReversingLabs products support all three approaches, designed to work together