Online malware analysis services



Thread author

I have collected a list of online malware analysis services and have decided to share this collection with you. These services can assist you if you need results to a sample (static/dynamic or both) and do not have the time to manually analyse the sample, or if you become stuck whilst analysing a sample and want to check the results of an online service to explore something in the sample. :)

If you are not aware about how these services work, these services allow you to upload the file of your choice and this file is then submitted to their server. On their side the file (e.g. Portable Executable) is executed in an isolated environment where all its behaviour is monitored. Eventually the analysis will end and this could be due to the submitted executable crashing, terminating itself (finished executing) or if the service has a time-out to end the analysis session after a certain period of time to prevent the analysis going on forever and never ending. Once the analysis of the submission has successfully completed you will be presented the logged results of the analysis which will tell you how the sample behaved whilst within the isolated environment (the different activities it attempted to carry out). Most of the time these services include results for static analysis also, such as imported functions and which libraries they are from, if the sample has been found to be packed, and so on.

Usually (at least on services like malwr) it will pin-point suspicious activity which it finds key to malicious activity. To explain this better, malwr service works via sandboxing the submission with the Cuckoo sandbox. Therefore, if the sample checks if it’s being isolated within Cuckoo and attempts to escape the sandbox power then malwr will note this activity occurred clearly on the analysis results, which is definitely an example of something which an honest and clean application shouldn’t be doing.

Before I list a bunch of services, I should put a few warnings in place for those who are not already aware:
  • Some malware analysis services (such as will allow you to download samples uploaded by other people. I highly recommend that you do not do this unless you know what you are doing since you can end up infecting yourself if you accidentally execute the sample on your host system (assuming the sample is malicious and not just a safe submission someone wanted analysis on).
  • A lot of malware is capable of detecting when they are being executed within an isolated environment (e.g. being executed within a sandbox where the actions are being controlled to restrict it). A lot of online virtualisation services will be able to identify when a sample is checking for virtualisation/sandbox presence and will log for the final results however new methods for anti-vm/anti-sandbox are being created all the time by malware authors and it is technically possible for an online service to fail to detect the behaviour in some situations. Therefore, keep an open eye out!
  • If you do decide to download a sample someone else had submitted if the service you are using allows you to do this for analysis purposes, make sure that you are protected when you perform analysis on the sample (I am referring to dynamic analysis). By the use of “protected” I am referring to using a proper set-up analysis environment so your host OS doesn’t become compromised, and also making sure other protection is setup. For example, to prevent your real IP being leaked in the case of the sample opening connections to a host, use VPN (Virtual Private Network) – the last thing you want is a malware author obtaining your real IP address!

Services which support PE files (Portable Executables):
Malwr - Malware Analysis by Cuckoo Sandbox
Free Automated Malware Analysis Service - powered by VxStream Sandbox
Deepviz - Analyze
Automated Malware Analysis - Joe Sandbox Cloud

Cuckoo Sandbox supports executables, document exploits, Java applets, etc. Therefore, they should work for submissions with any service which uses Cuckoo as its method of isolation (since not all services may necessarily have their own sandbox but may use a third-party sandbox which is open source… Like Cuckoo).

Services which support APK files (Android applications):
Free Automated Malware Analysis - APK Analyzer

If you wish to analyse documents only (e.g. MS Office documents or Adobe documents) then you can try to use this service: Free Automated Malware Analysis - Document Analyzer (also by Joe Sandbox Cloud which was referenced above a few times for the PE/APK analysis).

For online automated analysis of Linux binaries you can try to use this service: detux - The Linux Sandbox

If you are getting a large amount of sample submissions on a regular basis, then it may not be practical to go through and analyse every single one of those samples manually. Therefore, in this scenario you can attempt to use online malware analysis automated services to help you! This is not a bad thing to do and in no way does it make you “silly”, even security vendors like Avira use automated analysis to help them! If you do not believe me then feel free to check this post on their blog which was published back in 2014: Cuckoo Sandbox vs. Reality - Avira Blog

Thank you for reading and hopefully this can be helpful for you. ;)
Last edited by a moderator:


Thread author

Did you check what each service supports ?

Some emulation services only support a limited amount of emulation - e.g. network connects, Windows function calls, etc.

Do any of them openly and fully state what their emulation supports ?


Thread author

Did you check what each service supports ?

Some emulation services only support a limited amount of emulation - e.g. network connects, Windows function calls, etc.

Do any of them openly and fully state what their emulation supports ?
Sorry I am afraid not. However services like Deepviz still work similarly since it monitors things like registry/file usage, processes, network communication, etc. However, I still would recommend malwr or HA without doubt over the other alternates... At the end of the day I do not think that the online analysis service should be always used over manual analysis but in some circumstances it can be really beneficial (e.g. stuck whilst doing manual analysis and check if the online service can get further info that you failed to get / if you have many sample submissions then you can use the online analysis to help you speed up your work). :)

There was another online analysis service known as Anbubis but now it is closed down :( Anubis: Analyzing Unknown Binaries

If I remember correctly Hybrid-Analysis is actually very good in terms of dealing with Anti-VM/Anti-Sandbox malware compared to other online sandboxing analysis services. Correct me if I am wrong though.

Most of those services are for checking if the submitted sample is detected by supported AV/AM engines as opposed to analysing the sample in an isolated environment whilst recording the behaviour and then reporting back the findings (except the Comodo services listed there). :)


Thread author
These online services for the automatic analysis are useful but they have some limits, and also I often use Malwr to compare the results of my analysis.

An advantage that this method offers is the speed of analysis and this is due to the fact that the work is carried out in automatic way to report the results of the test.
Yes, the system analyzes if the process acts on the registry, on which parts of the file system it accesses, and what system API it uses and if it uses the network to send, receive data, or to propagate itself.

But from experience keep in mind that the analysis is effective primarily for simple malware and not for full malware analysis test.

For example, I had difficulty to compare my test results with those on Malwr especially about PE packers because, often, the STUB uses its own IAT (often with a few functions such as GetProcAddress, LoadLibraryA, and VirtualAlloc), once the decompression in memory, the IAT is filled with the entry of the original executable, so the static analysis is useless because it is necessary first to remove the compression protection layer and, once you have analyzed the layout of the PE, it is necessary to identify the packer used.
But the code/data of the original must be in memory to be used and to be able to perform the unpacking, you have to know the exact time in which the data are present in memory because it is possible that the data are present in memory only for a short time.
Then it is possible reach the entry point of the original (OEP) and dump the process, change the pe header to restore the entry point, and restore a valid IAT.
Quite difficult sometimes but you have to perform a manual analysis for correct results.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.