Analysis URL report

The Analysis details section displays the actual activities of the analysis subject as collected by the VMware backend. An activity is used to determine an assessment of its Type. The following activities are displayed in this section:

  • Network activity Lists all URLs visited during the analysis as well as additional web content requested or contained by the subject. Each additional URL is recorded together with its content type, the server status code, the server IP address, the response content hashes (MD5 and SHA1), the response content length, and the timing of the request (start time, end time, and duration in milliseconds).

  • Resources Lists local resources that were accessed during the URL analysis via the res protocol. Malicious web pages sometimes access local resources to probe the execution environment; for example, to determine if certain programs are installed.

    This section is displayed only if resources events were encountered during analysis.

  • Code execution activity Lists code that was executed during the analysis. In particular, it displays interesting code that was statically included in a resource (using a <script> tag), and all the code that was dynamically generated and executed during the URL analysis. Malicious code is often generated at runtime in order to bypass static signatures and to make its analysis more complicated.

    • Static JavaScript code Displayed only if relevant events were encountered during analysis.

    • Dynamic JavaScript code Report indicates if no events were encountered during analysis.

    • HTML code Code that has been added to the document dynamically through functions like document.write(). Report otherwise indicates if no events were encountered during analysis.

  • Hidden iframes Lists hidden HTML tags, such as iframe, that have been detected during the navigation. Hidden elements are sometimes used in compromised pages to pull in malicious code from third-party websites.

    This section is displayed only if hidden tags were encountered during analysis.

  • Memory contents Lists strings that were found during the analysis

    This section is displayed only if strings were encountered during analysis.

  • Textual content Shows the textual content extracted from a document.

    This section is displayed only if text was found during analysis, PDF analysis only.

  • Links in documents Shows the links that were found in analyzed documents.

    This section is displayed only if links were encountered during analysis.

  • Plugins List any use of common browser plugins. Calls to these plugins are recorded and the report contains the details about the invoked methods and the passed arguments.

  • Applets Shows the Java applets that were downloaded during the URL analysis.

    This section is displayed only if applets were found during analysis.

  • Exploits The analysis environment has the capability to precisely identify known exploits. Detected exploits are included in the report.

  • Shellcode The analysis environment has the capability to detect shellcode contained in analysis subjects. Detected shellcode are extracted and included in the report in hexadecimal format.

  • Processes Lists the processes that were spawned during the URL analysis.

    This section is displayed only if spawned processes were found during analysis.

  • Dropped Files Lists files that were stored on the system hard disk during the URL analysis.

    This section is displayed only if file operations were encountered during analysis.