Drop a file to read it locally and triage it in seconds. You get its overall Shannon entropy, a sliding window entropy graph that reveals packed or encrypted regions, the real file type detected from its magic bytes against the extension, a classic hex viewer, and a scan for appended or embedded signatures that hint at a polyglot or hidden payload.
Static triage starts before you ever run a sample. You look at the raw bytes and ask a few cheap questions: what is this file really, how random are its contents, and is anything hiding inside it. This tool answers those questions in the browser, reading the file as an ArrayBuffer with the FileReader API so the bytes never leave your machine. It is a first look, meant to point you at the parts worth a closer look, not a sandbox or a full reverse engineering suite.
Shannon entropy scores how unpredictable the byte values are, from 0 to 8 bits per byte. A file of one repeated byte scores 0. A file where every value from 0 to 255 appears about equally often scores close to 8. Plain text and structured formats land in the middle. Data that is compressed, encrypted, or packed sits near the top, because those transforms flatten the byte distribution. The tool reports the overall figure and grades how far it is from the high end, so you can read at a glance whether the file looks random.
One number for a whole file hides where the randomness lives. The graph computes entropy over a sliding window of blocks across the file offset and draws it, so a packed section, an encrypted blob, or data appended after a clean file shows up as a step or a spike. A benign executable that is mostly low entropy code with one near maximum region is a classic packed or encrypted section pattern. The horizontal axis is the byte offset from start to end, and the vertical axis is entropy from 0 to 8.
The first few bytes of most formats are a fixed signature, the magic bytes. A PNG starts with 89 50 4E 47, a zip with 50 4B, an ELF binary with 7F 45 4C 46, a Windows executable with 4D 5A. The extension is only a label and can be renamed to anything. The analyzer reads the signature, names the real format, and compares it to the extension. A mismatch, like an executable wearing an image extension, is a well known triage signal.
A classic hexdump of the first bytes shows the offset, the hex values, and an ASCII gutter side by side. Headers, embedded strings, and the shape of a format are often readable straight from the dump. The view is capped to the first block so it stays fast on large files.
The scan looks for known format signatures that appear after offset zero rather than at the very start. A zip header buried inside an image can mean a polyglot, a single file that is valid as two formats at once, or a payload simply appended to a benign carrier. Each extra signature is reported with the byte offset where it was found, so you can carve it out and inspect it. As with entropy, a hit is a lead to verify, not a verdict.
The headline number scores the overall entropy from low to high. The detail rows then break down the file type, any extension mismatch, the entropy reading in plain language, and any appended signatures. None of these is a malware verdict by itself: archives and media are high entropy by design, and many formats legitimately embed others. The value is in the combination, a low entropy format that hides a high entropy region, an extension that lies about the format, or random data tacked onto the end. The kind of contextual judgment that turns these signals into a conclusion is what an AI security testing approach reasons about rather than matching one byte pattern. For the wider set of attacker techniques that hide code in plain files, the web security glossary is a good starting point.