A modern, offline static malware analysis tool built with WebAssembly
Features • Demo • Installation • Usage • Architecture • Contributing
Infectio is a powerful, privacy-focused static malware analysis tool that runs entirely in your browser using WebAssembly.
- 100% Privacy: All analysis happens locally in your browser
- Multi-Format: Supports PE, ELF, Mach-O, PDF, ZIP, Office documents, and more
- AI-Powered: Optional local LLM integration for intelligent analysis
- No Installation Required: Try it instantly at https://infectio.filippofinke.ch/
- Multi-Format Support:
- Executables: PE (Windows), ELF (Linux), Mach-O (macOS)
- Documents: PDF, Office (DOC, DOCX, XLS, XLSX, PPT, PPTX)
- Archives: ZIP with nested analysis
- Legacy: OLE/OLE2 formats
- Entropy Analysis: Calculate file entropy to detect packed or encrypted content with visual charts
- Hash Calculation: Generate MD5, SHA1, and SHA256 checksums instantly
- String Extraction: Extract ASCII and Unicode strings with configurable minimum length
- IP & URL Detection: Automatically identify network indicators of compromise (IOCs)
- Heuristic Detection: Identify suspicious patterns and behaviors
- High entropy sections indicating packing/encryption
- Suspicious API calls and imports
- Content type mismatches
- Embedded executables in documents
- Import Analysis: Extract and visualize DLL/library imports and function calls
- VBA Macro Detection: Identify and extract macros from Office documents
- Encryption Detection: Detect password-protected and encrypted content
- Interactive Import Graph: Visual representation of DLL dependencies and relationships
- Entropy Charts: Line charts showing entropy distribution across file sections
- Folder Tree View: Hierarchical visualization of archive contents
- Code Analysis: Syntax-highlighted code viewer powered by Monaco Editor
- Interactive Tables: Sortable, searchable data tables for strings, imports, and metadata
- Integrated LLM: Optional AI-assisted analysis using Web LLM (runs locally)
- Natural Language Q&A: Ask questions about analyzed files in plain English
- Contextual Insights: Get explanations of findings and security implications
- Privacy-Preserving: All AI processing happens locally - no data leaves your browser
Try it now: https://infectio.filippofinke.ch/
Experience Infectio directly in your browser, upload any file and see the analysis in action.
Home Page - Click to expand
Clean, intuitive interface with drag-and-drop file upload
PE Module Extraction & Visualization - Click to expand
Interactive graph visualization of DLL imports and dependencies
String Extraction - Click to expand
Extract and analyze strings from binary files
Entropy Calculation - Click to expand
Visualize entropy distribution to detect packed or encrypted sections
Code Analysis - Click to expand
Syntax-highlighted code viewer with Monaco Editor
VBA Macro Detection - Click to expand
Detect and extract VBA macros from Office documents
ZIP File Analysis - Click to expand
Hierarchical view of archive contents with nested file analysis
PDF Embedded Files - Click to expand
Extract and analyze embedded files from PDF documents
Mach-O Analysis - Click to expand
Analyze macOS executables and extract library dependencies
Encrypted File Support - Click to expand
Handle password-protected ZIP and Office documents
Local AI Assistant - Click to expand
Get natural language explanations powered by local LLM
Infectio is built with a modern, modular architecture designed for performance, extensibility, and privacy.
- Rust: Core analysis engine compiled to WebAssembly
- wasm-bindgen: JavaScript/Rust interop layer
- Key Libraries:
goblin: Multi-format binary parsing (PE, ELF, Mach-O)exe: Windows PE file analysislopdf: PDF document parsingole: OLE2 format parsing (Office documents)zip: Archive handling and extractionregex: Pattern matching for IOC detectionmd5,sha1,sha2: Cryptographic hashing
- React 18: Modern UI framework with hooks
- TypeScript: Type-safe JavaScript
- Tailwind CSS: Utility-first styling
- Webpack 5: Module bundler with optimization
- Key Libraries:
@mlc-ai/web-llm: Browser-based LLM integrationmagika: ML-based file type identificationreact-router: Client-side routingreagraph: Interactive graph visualization@monaco-editor/react: Code editor componentchart.js: Data visualization and charts
Ensure you have the following installed:
| Tool | Version | Installation |
|---|---|---|
| Node.js | v16+ | Download |
| Rust | Latest stable | curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh |
| wasm-pack | Latest | cargo install wasm-pack |
| Git | Any | Download |
# 1. Clone the repository
git clone https://github.com/filippofinke/infectio.git
cd infectio
# 2. Build the WebAssembly module
cd infectiowasm
chmod +x scripts/build.sh
./scripts/build.sh
# 3. Install and start web application
cd ../web
npm install
npm startYour browser will open to http://localhost:8080 automatically.
For faster iteration during development:
# Use dev build (faster, unoptimized)
cd infectiowasm
./scripts/dev.sh
# Start dev server with hot reload
cd ../web
npm start# Build optimized WASM module
cd infectiowasm
./scripts/build.sh
# Build optimized web application
cd ../web
npm run build
# Output is in web/dist/ - ready for deploymentThe web/dist folder contains a static website that can be deployed to:
- GitHub Pages: Push to
gh-pagesbranch - Netlify: Drag and drop
distfolder or connect repository - Vercel: Import repository with build command
npm run build - AWS S3: Upload to S3 bucket with static hosting enabled
- Any Static Host: Upload contents of
distfolder
-
Upload a File:
- Drag and drop a file onto the upload zone
- Or click "Choose a file" to browse
- Or paste a file from clipboard
-
Automatic Analysis:
- File type is automatically detected
- Analysis progress is shown with status indicators
- Typically completes in 1-5 seconds
-
Review Results:
- File Info: Size, type, hashes (MD5, SHA1, SHA256)
- Heuristics: Security warnings with severity levels
- Metadata: Format-specific properties and headers
- Strings: Extracted text strings (ASCII/Unicode)
- IPs/URLs: Network indicators of compromise
- Imports: Function imports and library dependencies (executables)
- Entropy: Visual charts showing data randomness
- Code: Syntax-highlighted content view
For encrypted archives or Office documents:
- Upload the file normally
- Enter the password when prompted
- Click "Decrypt" to proceed
- Analysis continues normally after decryption
Supported encrypted formats:
- Password-protected ZIP archives
- Encrypted Office documents (DOCX, XLSX, PPTX)
- Protected PDFs
Enable AI-powered analysis for intelligent insights:
- Load the Model: Click the chat icon to initialize (first time only, ~2GB download)
- Ask Questions:
- "What does this executable do?"
- "Are there any suspicious patterns?"
- "Explain these API imports"
- "What are the security risks?"
- Get Insights: Receive natural language explanations based on analysis results
Note: AI processing is 100% local - no data leaves your browser.
- Click "Scan another file" to analyze additional files
- Use the dropdown menu to switch between analyzed files
- Close individual reports using the "X" button
- Compare results across multiple samples
String Filtering:
- Adjust minimum string length (default: 5 characters)
- Search and filter extracted strings
- Copy individual strings or entire list
Entropy Analysis:
- View overall file entropy
- Examine chunk-by-chunk entropy distribution
- Identify packed or encrypted sections (entropy > 7.0)
Import Graph:
- Interactive visualization of DLL dependencies
- Zoom and pan to explore relationships
- Click nodes to highlight connections
- Useful for understanding malware capabilities
Create a new analyzer in infectiowasm/src/analyzers/:
use crate::analyzers::{FileAnalyzer, AnalyzerReport};
pub struct CustomAnalyzer;
impl FileAnalyzer for CustomAnalyzer {
fn analyze(&self, file_data: &[u8]) -> AnalyzerReport {
let mut report = AnalyzerReport::default();
// Your custom analysis logic
if detect_suspicious_pattern(file_data) {
report.add_heuristic("Custom Detection", "High");
}
report
}
}Then register it in infectiowasm/src/dispatcher.rs.
In any analyzer:
// Add warning with severity
report.add_heuristic("High Entropy Detected", "Medium");
report.add_heuristic("Suspicious API Call", "High");
report.add_heuristic("Embedded Executable", "Critical");cd infectiowasm
cargo test # Run all tests
cargo test test_name # Run specific test
cargo test -- --nocapture # Show outputWe welcome contributions! Whether it's a bug report, feature request, or code contribution, your help is appreciated.
- Report Bugs: Open an issue with details and reproduction steps
- Suggest Features: Share ideas for new capabilities
- Improve Documentation: Fix typos, add examples, clarify instructions
- Write Code: Implement features, fix bugs, optimize performance
- Share Feedback: Let us know how you're using Infectio
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Make your changes with clear, commented code
- Add tests for new functionality
- Ensure all tests pass (
cargo test) - Format your code (
cargo fmtfor Rust) - Commit with descriptive messages (
git commit -m 'Add amazing feature') - Push to your branch (
git push origin feature/amazing-feature) - Open a Pull Request with detailed description
This project is licensed under the MIT License, see the LICENSE file for details.
👤 Filippo Finke
- Website: https://filippofinke.ch
- Twitter: @filippofinke
- GitHub: @filippofinke
- LinkedIn: @filippofinke
- Disassembler integration
- YARA rule editor
- Threat intelligence feeds
- Automated IOC extraction
- Timeline visualization
- Behavior simulation