Joe Sandbox is a deep malware analysis platform that combines static, dynamic, hybrid, and graph-based analysis techniques to examine files and URLs for malicious behavior. Static Analysis: - Generic file type detection, file parsing, built-in AV, and ML-based detection Dynamic Analysis (Files): - Live interaction, hypervisor-based inspection, bare metal detonation, execution graph analysis, and COM tracing Dynamic Analysis (URLs): - AI-based phishing automation and detection, AI reasoning and summary, QR code extraction, and CAPTCHA solving Network Analysis: - SSL inspection, localized internet anonymization with rotating proxies, and Suricata integration Detection & Extraction: - 2,500+ custom behavior signatures, 3,500+ custom YARA signatures, 118+ Sigma signatures, 270+ config/string extractors, and 10+ custom AI signatures Post Analysis: - Reports in HTML/JSON/XML, behavior graphs, dropped files, PCAP, memory dumps, screenshots, MITRE ATT&CK mapping, and IOC extraction The platform uses hardware virtualization (hypervisor) to monitor system and API activity in user and kernel mode without alerting the analyzed threat. Hybrid Code Analysis (HCA) combines dynamic and static analysis to uncover hidden or dormant functionality. Execution Graph Analysis (EGA) visualizes control flow, API chains, and execution paths. Coverage spans Windows, Android, macOS, and Linux environments.