How to Analyze a Suspicious File. Step by Step

You’ve received a suspicious file. Maybe a coworker forwarded it, maybe it arrived as an email attachment, or maybe it appeared on a shared drive with no explanation. You need to decide quickly: is this file safe to open?

This guide walks you through the process of analyzing any file from upload to verdict. No installation required, no account needed for your first analysis.

Step 1: Upload the File

Navigate to the file upload page and drag your file onto the upload area, or click to browse your filesystem. The platform accepts over 200 file types, including executables, documents, scripts, archives, packages, and more. There’s no need to worry about whether your file format is supported - if it’s a file type that could pose a security risk, the platform handles it.

Once you drop the file, it’s uploaded securely and the analysis begins automatically. You’ll see a progress indicator while the platform processes the file through multiple analysis engines.

Step 2: Wait for Analysis

During analysis, the platform performs threat detection, extracts metadata, identifies the software publisher, classifies the file into a canonical category, evaluates code signatures, and computes the composite trust score. For archive files, inner contents are extracted and analyzed individually.

The page updates automatically when results are ready - no need to refresh.

Step 3: Read the Overview Tab

The overview tab is your starting point. At the top, you’ll see the trust score - a 0-100 composite rating displayed as a radial gauge. The color coding gives you an instant read:

• Green (75-100): High trust. The file has valid signatures, a reputable publisher, no detections, and a low-risk category.
• Yellow (50-74): Moderate trust. One or more dimensions show elevated risk. Review the sub-scores before proceeding.
• Orange (25-49): Low trust. Multiple risk factors are present. Investigate further before allowing this file.
• Red (0-24): Very low trust. Significant risk indicators detected. Treat with extreme caution.

Below the score, you’ll find the file’s metadata: file name, size, type, hash values, and the identified software category (e.g., “Remote Access Tool,” “Office Suite,” “System Utility”).

Step 4: Check Threat Signals

The threat signals section shows the results of pattern-matching and behavioral analysis. Each signal includes a severity level and a description of what was detected. Common signals include:

• Detection matches: Patterns matched against known malware families or suspicious code sequences.
• Behavioral indicators: Capabilities the file possesses, such as network access, file system modification, registry manipulation, or privilege escalation.
• Embedded content: Macros, scripts, or other executable content found inside documents or archives.

Not every signal means the file is dangerous. A legitimate installer will show file system modification and registry access because that’s what installers do. Context matters - which is why the trust score weighs signals against other dimensions rather than treating each one as a standalone verdict.

Step 5: Review Vendor Information

The vendor section shows you who published the software. This includes the company name, industry, headquarters location, and any relevant security history. If the publisher has experienced known security incidents, those are displayed here.

For signed files, you’ll also see the certificate details: issuer, subject, validity period, and whether the signature is intact. An expired or revoked certificate is a significant red flag even if the file itself appears benign.

Step 6: Interpret the Trust Score

Click on the trust score to expand the sub-score breakdown. You’ll see five independently weighted dimensions, each with its own label, score, and description:

1. Threat Detection: How clean is the file from a detection standpoint?
2. Code Signatures: Is the file properly signed with a valid certificate?
3. Category Risk: How risky is this type of software in general?
4. Vendor Reputation: How trustworthy is the publisher?
5. Metadata Quality: Does the file have complete, consistent metadata?

The breakdown lets you understand exactly why the file scored the way it did. A file might have a mediocre overall score because of one weak dimension - the breakdown tells you which one and lets you decide whether that matters for your use case.

Step 7: Make Your Decision

With the full analysis in front of you, you can make an informed decision:

• High trust + known vendor: Safe to proceed. Consider adding the file to your sanctioned apps list to streamline future approvals.
• Moderate trust + mixed signals: Proceed with caution. Verify the file source independently and consider running it in a sandbox first.
• Low trust or unknown vendor: Do not proceed without further investigation. Contact the sender to verify the file’s legitimacy.
• Active detections: Block the file and report it to your security team. Do not open it on a production machine.

What’s Next?

The free tier gives you 50 analyses per month - enough for personal use or occasional file checks. If your team needs to analyze files regularly, the Pro and Business tiers add team management, endpoint agents, API access, and approval policies that automate the decision-making process described above.

The goal is simple: never open a file you haven’t analyzed. With automated analysis just a drag-and-drop away, there’s no reason to skip it.