We utilize artificial intelligence for site translations, and while we strive for accuracy, they may not always be 100% precise. Your understanding is appreciated.

MetaDefender Sandbox

AI-driven analysis that quickly detects even the most evasive malware. With multi-layered, lightning-fast detection and adaptive threat analysis, it provides the deep insights needed to protect critical assets from zero-day attacks.

Next-Gen Approach

Close the gap between static analysis and full-blown VM-based sandboxing systems. Scan thousands of files for malware quickly and simultaneously to defeat every layer of obfuscation and identify valuable IOCs– all with low resource requirements, easy maintenance, and high efficacy.

Adaptive Threat Analysis

Leverage deep static analysis, threat intel, and emulation to stop sophisticated malware.

In-Depth Reporting

Detailed threat reports with actionable IOCs.

Threat Hunting

Built-in search capabilities for advanced hunting.

Flexible Deployment

Works in cloud-native, on-prem, or hybrid environments.

Speed and Accuracy Across the Entire Malware Analysis Pipeline

Add the layers of adaptive threat analysis into your malware analysis pipelines, to enhance your security posture and respond more effectively to evolving threats.

Threat Intelligence

Threat Intelligence

  • Reputation Checks
  • Milliseconds
  • Quickly cross-checks input data against known bad hashes and whitelists.

Deep Static Analysis

Deep Static Analysis

  • Static Fast-Pass
  • Up to a few seconds
  • Conducts initial static analysis in less than a second, bypassing common obfuscation techniques.

Dynamic Fast-Pass

Dynamic Fast-Pass

  • 10 seconds on Average 
  • Uses emulation within a lightweight virtualization layer for fast, adaptive threat detection.
  • Threat Intelligence

    • Reputation Checks
    • Milliseconds
    • Quickly cross-checks input data against known bad hashes and whitelists.
  • Deep Static Analysis

    • Static Fast-Pass
    • Up to a few seconds
    • Conducts initial static analysis in less than a second, bypassing common obfuscation techniques.
  • Dynamic Fast-Pass

    • 10 seconds on Average 
    • Uses emulation within a lightweight virtualization layer for fast, adaptive threat detection.

MetaDefender Sandbox Engine

The following table outlines MetaDefender Sandbox engine feature set. Please contact us to book a technical presentation and get a run-through of all platform features and capabilities.

Comprehensive Sandbox Reporting

Overview of our cybersecurity software's capabilities, including sample analysis, malware family decoding, disassembly unpacking, similarity search, and more.

MetaDefender Sandbox

Synthetic (Fabricated) Sample

This sample stands as a purpose-built example to highlight the diverse capabilities of MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox).

Crafted to show-off real-world cyber threats, embedding multiple files and file-types into each other. This effectively demonstrates our solution's prowess in adaptive threat analysis, behavioral analysis, and advanced security measures.

MetaDefender Sandbox

Geofencing

Malware documents employing geofencing have become a significant threat to cybersecurity. These malicious files often employ location-based triggers, making detection and mitigation a challenging task. However, Adaptive Threat Analysis stands out from traditional approaches by offering the capability to accurately emulate and falsify the expected geolocation values, effectively neutralizing the tactics employed by malware, thus enhancing our ability to protect against such threats.

In the sample provided below, we can observe a geofencing malware attempting to execute exclusively within a specific country. However, our innovative solution successfully bypasses this restriction, as previously mentioned, by emulating the desired geolocation values, demonstrating our superior capability in countering such geofencing-based threats.

MetaDefender Sandbox

Phishing Detection

  • Brand Detection: By rendering suspicious websites and subjecting them to our advanced machine learning engine we're capable of identifying nearly 300 brands. In the example provided below, you can witness a website masquerading as a streaming company known as Netflix. Our solution excels in comparing the site's content to the genuine URL, swiftly identifying such fraudulent attempts to safeguard your digital assets and personal information. Learn more.
  • AI-driven analysis: We have an AI-driven solution analyzing the network traffic, structural and textual content of the rendered page. Verdict of the joint model outcome can be seen after 'ML Web Threat Model'.
MetaDefender Sandbox

Offline URL Reputation

The offline URL detector ML model provides a new layer of defense by effectively detecting suspicious URLs, offering a robust means to identify and mitigate threats posed by malicious links. It leverages a dataset containing hundreds of thousands of URLs, meticulously labeled as either no threat or malicious by reputable vendors, to assess the feasibility of accurately detecting suspicious URLs through machine learning techniques.

It is important to note that this feature is particularly useful in air-gapped environments where online reputation lookups are not available.

MetaDefender Sandbox

Malware Config Extraction of a Packed Sample

The sample below reveals a malware that was packed using the UPX packing technique. Despite its attempt to evade detection and defenses, our analysis successfully unpacked the payload, exposing its true identity as a Dridex Trojan. We were able to uncover the malware configuration, shedding light on the malicious intent behind this threat, extracting valuable IOCs.

MetaDefender Sandbox

Similarity Search

Employing Similarity Search functionality, sandbox has detected a file remarkably resembling a known malware. Notably, this file had been previously marked as non-malicious, revealing the potential for false negatives in our security assessments. This discovery empowers us to specifically target and rectify these overlooked threats.

It is important to highlight that Similarity Search is highly valuable for threat research and hunting, as it can help uncover samples from the same malware family or campaign, providing additional IOCs or relevant information about specific threat activities.

MetaDefender Sandbox

Native Executable

Our disassembling engine revealed intriguing findings within the target sample. Surprisingly, this sample monitors the system time using the uncommon <rdtsc> instruction and accesses an internal, undocumented structure in Windows, commonly used for different malicious tricks. These unusual actions raise questions about its purpose and underscore the need for further investigation to assess potential risks to the system.

MetaDefender Sandbox

.NET Executable

The sample under examination was built using .NET framework. While we refrain from displaying the actual CIL, our decompilation process extracts and presents noteworthy information, including strings, registry artifacts, and API calls.

Besides that, we parse the .NET metadata to identify .NET-specific functions and resources. This process allows to extract detailed information about the assembly, such as methods, classes, and embedded resources, which is critical for analyzing the behavior and structure of .NET applications.

MetaDefender Sandbox

Shellcode Emulation

Many application exploits bring their final payload in raw binary format (shellcode), which might be an obstacle when parsing the payload. With our shellcode emulation we are able to discover and analyse the behaviour of the final payload, in this example for a widely leveraged Office vulnerability in the equation editor. Hence opening the door to gathering the relevant IOCs.

MetaDefender Sandbox

Highly Obfuscated VBA Macro

Obfuscated VBA macros present a significant challenge to deliver a reasonable response time of active threats. This unclear code makes the analysis and understanding of threats a high complex task that demands a lot of time and efforts. Our cutting-edge VBA emulation technology is able to overcome these challenges and provides a comprehensive analysis of obfuscated VBA macro together with clear insights into its functionality in seconds.

The analyzed sample is an Excel document with highly obfuscated VBA code that drops and runs a .NET DLL file, together with a LNK file in charge of continuing the malware execution chain. After VBA emulation, MetaDefender Sandbox identifies launched processes and the main deobfuscating function, automatically extracts obfuscated strings and saves dropped files (previously hardcoded and encrypted in the VBA code). This rapidly show the main purpose of the malware and give us the possibility of a further analysis of this threat.

MetaDefender Sandbox

Sandbox Evasion via Task Scheduler

Using Windows Task Scheduler to execute malicious payloads at a later time is a stealthy technique to evade sandbox environments seen in recent threats. It exploits the delay in execution to effectively bypass the short analysis window typical of sandboxes.

The following sample is an obfuscated VBScript that downloads the malicious payload and creates a scheduled task to run it 67 minutes later. Traditional sandboxes maintain the execution for only a few minutes and the malicious behavior would be never exposed. In the other hand, our VBScript emulator is able to detect and overcomes this evasion technique (T1497), adapting the execution environment to continue with further analysis, and getting the full report in 12 seconds.

MetaDefender Sandbox

.NET Reflection

NET Reflection is a powerful feature provided by the .NET framework that allows programs to inspect and manipulate a .NET file structure and behavior at runtime. It enables the examination of assemblies, modules, and types, as well as the ability to dynamically create instances of types, invoke methods, and access fields and properties.

Malware can use reflection to dynamically load and execute code from assemblies that are not referenced at compile time, allowing to fetch additional payloads from remote servers (or hidden in the current file) and execute them without writing them to disk, reducing the risk of detection.

In this case, we can see how the analysed VBScript loads and runs a .NET assembly into memory directly from bytes stored in a Windows register.

MetaDefender Sandbox

XOR Decrypting Payload Stored in PE Resource

This feature enables to reveal hidden artifacts encrypted within PE resources. Malicious artifacts are often encrypted to evade detection and obscure the true intent of the sample. Uncovering these artifacts is essential, as they typically contain critical data (as C2 information) or payloads. By extracting them, the sandbox can deliver a deeper scan, with higher chance of identifying the most valuable IOCs.

This sample stores that encrypted artifacts using the XOR algorithm, simple but efficient to evade detection. By analyzing patterns in the encrypted data, the encryption key can be guessed, allowing to decrypt the hidden.

MetaDefender Sandbox

Evasive Archive Concentration

Attackers use archive concatenation to hide malware by appending multiple archives into a single file, exploiting how different tools process them. This technique creates multiple central directories - key structural elements used by archive managers - causing discrepancies during extraction and enabling the bypass of detection for malicious content hidden in overlooked parts of the archive.

MD Sandbox detects and extracts content from all concatenated archives, ensuring no file is missed and effectively neutralizing this evasive technique.

MetaDefender Sandbox

Mitigating Bloated Executables

Threat actors bloat intentionally executables with junk data to evade detection by exploiting resource limitations and analysis time constraints in sandboxes. This evasion technique looks to overwhelm tools or bypass scans by exceeding time limits.

MD sandbox detects bloated executables early, removes junk data, and processes a smaller file for efficient analysis. This debloating process targets various methods, including junk in overlays, PE sections, and certificates, ensuring accurate detection while conserving original resources.

MetaDefender Sandbox

Document Targeting Critical Infrastructures

This Office document targets critical infrastructure in Iran (with content in Persian) to steal sensitive information, such as credentials and documents, and periodically takes screenshots, potentially for espionage purposes.

After establishing persistence, it performs a stealthy initial internet connectivity check (against a trusted domain like google.com) to ensure a reliable connection, delaying further actions until network conditions allow the attack to proceed. This is a tactic commonly observed in attacks on critical infrastructure, environments where internet access may be intermittent or restricted.

MetaDefender Sandbox

Evasion Through Corrupted OOXML (Office) Documents

Researchers discovered intentionally corrupted OOXML documents (modern office documents). By modifying the binary content near the internal file headers, the purposely broken files may be misdetected as ZIP files by automatic scans which will attempt to extract compressed files.

Document viewers will automatically repair the document upon opening. At this point, despite the document containing phishing content, it may have effectively bypassed defenses. Automated analysis will not be able to read its content and therefore miss the relevant indicators.

MetaDefender Sandbox

Google DKIM Replay Attack Detection

Email authentication mechanisms like SPF, DKIM, and DMARC are essential, but sophisticated attackers can sometimes bypass them. This example showcases a scenario where an email, despite being authentically signed by Google and passing standard checks, was identified as malicious by MetaDefender Sandbox.

MetaDefender Sandbox detected several anomalies along with other indicators:

  • DKIM Boundary Violation: Identified content added beyond the scope of the DKIM signature.
  • Obfuscation Techniques: Detected excessive whitespace used to hide malicious intent.
  • Phishing Patterns: Recognized urgent calls-to-action characteristic of phishing attempts.
  • Header Analysis: Flagged anomalies in email headers associated with OAuth application abuse.
MetaDefender Sandbox

ClickFix, a Trending Social Engineering Technique

ClickFix is an emerging web-based threat that leverages social engineering to silently trick users into executing malicious commands. Unlike traditional phishing, ClickFix operates through deceptive UX elements and clipboard manipulation rather than file downloads or credential theft.

The ClickFix website presents a fake reCAPTCHA or "bot protection" screen to appear legitimate. The user is then asked to verify themselves—often through a harmless-looking interaction—while, in the background, obfuscated JavaScript code silently runs. This script dynamically decodes a malicious command and copies it directly to the system clipboard. Next, the user is presented with misleading instructions and guide to execute the malware, unaware of the danger.

ClickFix highlights how simple web techniques, combined with user deception, can effectively bypass traditional security layers—making sandbox analysis critical for uncovering stealthy, low-footprint attacks like this one.

MetaDefender Sandbox analyses this threat end-to-end. The sandbox begins by rendering the malicious URL and applying phishing detection models to identify suspicious content. It then extracts and emulates the JavaScript, simulating user actions to reach the critical moment when the clipboard is modified. Once the hidden command is captured, it is emulated, allowing the sandbox to fully trace the malicious execution flow. This not only exposes the clipboard-based tactic but also reveals the payload’s behavior and infection chain.

MetaDefender Sandbox

Supply Chain Attack

The SolarWinds supply chain attack exemplifies how minimal code changes in trusted software can enable massive breaches while bypassing traditional security defenses. Threat actors injected a stealthy backdoor into a legitimate DLL, embedding malicious logic while preserving original functionality. The payload ran silently in a parallel thread mimicking legitimate components. With a valid digital signature and seamless behavior, the DLL evaded detection and granted covert access to thousands of high-profile victims. The compromise of the build pipeline turned trusted updates into a vehicle for global intrusion.

While a 4,000-line backdoor might seem significant, in the context of a large enterprise source code, it’s easily overlooked. This is where MetaDefender Sandbox excels: it doesn’t just inspect the code, it observes what the software does. It flags deviations from normal behavior, guiding analysts to what really matters—cutting through the noise to spotlight threats that traditional reviews would likely miss.

MetaDefender Sandbox Integrations

ImplementationAppliance
IntegrationAPI & Web Interface Integration​
  • REST API (OpenAPI documented)
  • File and URL submissions via GUI
  • Threat hunting and reputation lookups
Email Integrations & Format Support​​
  • Automatic data ingestion (IMAP)
  • MBOX, MSG file support
Security Orchestration, Automation, and Response (SOAR) Integrations​​​
  • Palo Alto Cortex XSOAR
  • Splunk SOAR
  • AssemblyLine 4
SIEM Integrations​​​​ Common Event Format (CEF) Syslog Feedback
DeploymentOPSWAT Threat Detection & Prevention Platform
  • MetaDefender Core
  • MetaDefender Cloud
  • MetaDefender ICAP Server
  • MetaDefender Storage Security
  • MetaDefender Kiosk
  • Metascan
Report Format/ Data ExportReport Formats
  • MISP
  • STIX 2.1
  • HTML, PDF, JSON
Scripting & Automation ToolsPython
  • Python CLI
  • Pip package management

Adaptive Threat Analysis in MetaDefender Core

Adaptive Sandbox dynamically detects complex and evasive malware threats. It’s integrated directly into MetaDefender Core for enhanced orchestration and rapid detection in larger security workflows.

MetaDefender Core
Screenshot of MetaDefender Core, displaying file scan details, sandbox threat detection, and options for deeper content reconstruction
Detailed view of adaptive sandbox scan, highlighting malicious indicators and their severity

Detonator - The Endless Quest for the Perfect Sandbox

The Story Behind OPSWAT’s Leading Malware Analysis Solution

Detonator - The Endless Quest for the Perfect Sandbox

The Story Behind OPSWAT’s Leading Malware Analysis Solution

Filescan.io Community

Uncover hidden threats with insightful malware analysis powered by OPSWAT's MetaDefender Sandbox technology—try it free.

Sandbox-Enhanced Solutions

OPSWAT’s MetaDefender Sandbox adds a critical layer of threat prevention across our cybersecurity platform.

MetaDefender ICAP Server

MetaDefender ICAP with Sandbox integration combines multi-engine scanning and behavioral analysis to detect complex threats with high accuracy, and streamline threat response for secure, compliant file and web transfers.

MetaDefender Core

MetaDefender Core's multi-engine scanning, sanitization, and file analysis capabilities with MetaDefender Sandbox's behavioral insights and zero-day detection, organizations in these secure environments achieve a layered, resilient defense.

MetaDefender Storage Security

MetaDefender Sandbox enhances MetaDefender Storage Security by providing deeper threat analysis and real-time behaviour analysis to fortify storage systems across enterprise environments against high impact threats.

“OPSWAT’s Sandbox has very fast verdicts, thanks to emulation and is integrated with other products like Deep CDR. Thus giving the best inline experience for scanning files with minimum disruption to users and allowing easy management.”

Tamir Shahar
Infrastructure Architect, Clalit Health Services
Industries

Purpose-Built for Every Sector

  • Energy & Utility

    Transfer critical infrastructure data between IT-OT securely.

  • Manufacturing

    Transfer operational updates into and operational data out of critical sites

  • Government

    Transfer classified documents, and sensitive government data.

  • Finance

    Transfer sensitive customer information and trade secrets.

  • Healthcare

    Transfer of patient and medical records between systems.

  • Media

    Transfer large video files across sites and external partners.

Resources

Learn More About MetaDefender Sandbox

  • Whitepaper

    Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware

    Leverage Adaptive Threat Analysis to Detect Highly Evasive Malware

  • Datasheet

    MetaDefender Sandbox Datasheet

    See more stats and technical specifications in this datasheet

  • Customer Story

    Scaling Threat Detection with MetaDefender Sandbox

    How a Cybersecurity Solutions Provider Efficiently Protects Data and Communications With OPSWAT

  • Documentation

    MetaDefender Sandbox Documentation

    See additional information and technical resources.

  • Blog

    Malware Analysis Blog

    The latest practical insights and best practices for managing cybersecurity operations from OPSWAT, including incident response, vulnerability management, and optimizing security posture.

  • EBOOK

    The Need for Smarter Sandboxes

    Evolving Malware Detection and Threat Analysis

Expose Evasive Malware with
Adaptive AI Analysis

Fill out the form and we’ll be in touch within 1 business day.
Trusted by 1,900+ businesses worldwide.