Free Automated Malware Analysis Sandboxes and Services

Free hosted malware analysis sandboxes automate the examination of suspicious files, providing capability overviews that help analysts prioritize follow-up work. This curated list includes services like Any.run, Hybrid Analysis, Joe Sandbox, and VirusTotal.

Automated malware analysis tools, such as analysis sandboxes, save time and help with triage during incident response and forensic investigations. They provide an overview of the specimen’s capabilities, so that analysts can decide where to focus their follow-up efforts.

Here is a comprehensive listing of free, hosted services that perform automated malware analysis:

Any.run (free version): Runs malware in an interactive cloud sandbox with real-time observation
CAPE Sandbox: Executes malware and extracts payloads and configurations
Comodo Valkyrie: Analyzes files using static and dynamic methods to deliver a verdict
FileScan.IO: Examines files using static analysis and code emulation
Gatewatcher Intelligence: Scans files against multiple antivirus engines and provides threat context
Hybrid Analysis: Runs malware in a sandbox and generates behavioral analysis reports
InQuest Labs Deep File Inspection: Inspects files for embedded threats and malicious indicators
Intezer Analyze (free account with limited scans): Identifies code reuse and similarities with known malware families
IRIS-H: Analyzes Office documents and PDFs for malicious content
Joe Sandbox Cloud (Cloud Basic): Executes malware and generates detailed behavioral reports
Manalyzer: Examines PE file properties using static analysis
PyLingual: Decompiles Python bytecode into readable source code
Recorded Future Triage (Individual and researcher licenses): Analyzes malware in a sandbox and extracts configurations
sandbox.pikker.ee: Runs malware in a sandbox and reports on behavior
SandBlast Analysis: Examines files using Check Point’s threat emulation technology
SecondWrite (free tier): Detects evasive malware using forced code execution and program-level analysis
ThreatZone: Runs files through hypervisor-based dynamic analysis, static analysis, and emulation
VirusTotal: Checks files against numerous antivirus engines and analysis tools

If you know of another reliable and free service I didn’t list, please let me know. My other lists of free security resources are: Blocklists of Suspected Malicious IPs and URLs and On-Line Tools for Malicious Website Lookups.

In the malware analysis course I teach at SANS Institute, I explain how to reverse-engineer malicious software in your own lab. It’s a useful skill for incident responders and security practitioners; however, analyzing all software in this manner is impractical without some automated assistance.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. He has built security products and programs from early stage to enterprise scale. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →