VMRay Detection & Analysis Technologies

Best-of-breed Technologies for 

immediate detection & analysis


Innovation is our DNA. 

VMRay was founded by early pioneers in automated threat detection and analysis. Since then, we keep thinking outside the box to find new ways to find solutions for the challenges of our customers.With every new release, we keep adding new building blocks to our technologies that enable immediate detection of unknown threats.

Explore our 20+ unique technologies that empower our customers to detect the undetectable.

Reputation analysis is effective for known files, URLs, domains, and IPs, to detect known malicious and known benign samples.
Reputation Analysis

An analysis engine leveraging the VMRay Reputation Service for known files, URLs, domains, and IPs, to detect known malicious and known benign samples. 

The Reputation Service is hosted by VMRay and continuously updated. It can be used by all VMRay's customers, both Cloud and On-Premises, regardless of licensed product.

Smart caching optimizes performance without degrading efficacy.
Smart Caching

A global caching mechanism that determines how to handle re-submissions in order to optimize performance without degrading efficacy.

Static Analysis

Static Analysis is an analysis engine performing deep examination of file and email samples without detonation.

The Static Analysis uses a combination of proprietary technologies to parse the samples and extract embedded contents, while performing structural and code-based evaluations. 

This includes digital signature verification, macro de-obfuscation, antivirus scanning as well as YARA rule checks. 

During Static Analysis, a decision can be made whether a sample requires a detonation and what analysis environments should be used.

Built-in AV

Content-based antivirus engine that uses signature and behavior-based heuristics to complement Dynamic File Analysis and Dynamic Web Analysis.

The Built-in AV is used to scan all objects that are extracted during Static and Dynamic scans.

Computer Vision

An important part of our detection & analysis technologies that brings the ability to extract text from images using Optical Character Recognition (OCR) in order to detect social engineering techniques used in phishing campaigns.

Deep Content Extraction

Fully extract all embedded content from samples, no matter how deep they were hidden. After extraction these objects are sent for further analysis.

This includes extracting embedded objects and links from documents, links and attachments from emails, archive unpacking with no depth limit, as well as decrypting password protected samples.

Digital Signature Verification

Verification of the digital signature of Portable Executable (PE) samples (including checking for revoked certificates) to improve efficacy and enrich report metadata.

File Type Recognition

Proprietary parsers which identify the exact file type based on the file structure, as well as detect partially-corrupted samples that cannot be executed during Dynamic File Analysis.

Macro Deobfuscation

Deobfuscation of macro code in Office files, such as elimination of dead code. This reduces malware-forensic efforts and it enables the detection of malicious macros.

Password-Protected File Analysis

Protect against malicious password-protected attachments by searching for the password in the email body and subject.

Sample Triage

Prefilter samples from being detonated in order to optimize performance. This includes known benign files, files with no active content, as well as highly advanced content inspection, such as PDFs with non-standard structures and documents with benign macros.

Smart Link Detonation

Attributes-based rules that determine if links embedded in emails and documents should be detonated using VMRay Web Analysis (e.g., domain age, reputation score, abnormal URL string).

VBA Stomping Detection

Compares the compiled macro code (p-code) with the source code (VBA) to detect a VBA Stomping attack technique.

File Type Recognition

Detection rules that look for certain characteristics in files. The YARA rulesets are used to scan all objects that are extracted during Static and Dynamic analysis. 

In dynamic analysis, the malware or phishing URL is denotated in a safe environment, which enables VMRay to observe malicious behavior of unknown threats.

Dynamic Analysis


The Dynamic File Analysis monitors and records the file's complete behavior and provides a detailed report including memory dumps, function calls and the judgement of whether the sample is a threat is provided. Multiple other VMRay's technologies contribute to Dynamic File Analysis thereby making it both comprehensive and precise.


An analysis engine detonating URLs and other Web objects (such as HTML files) within a Virtual Machine. The Dynamic Web Analysis allows for real-time monitoring of the complete DOM (Document Object Model) structure of the analyzed webpage, and thus provides highly detailed and precise visibility into potential phishing threats and malicious downloads. 

Adaptive Browser Simulation triggers clicks on links and buttons to detect phishing attacks delivered  via web pages.
Adaptive Browser Simulation

Certain phishing attacks delivered via web pages may only be triggered if the user clicks on a button (e.g., the download button in file sharing sites such as Dropbox).

This feature detects and clicks on these buttons to automatically trigger the payload delivery.

Auto Reboot

When detecting persistence behaviors (e.g., file dropped to autostart), the sandbox will automatically reboot the VM as part of the analysis.

Automatic User Interaction

Simulating user behavior so that the execution can continue and no behavior is missed.

This includes mouse movements and clicks, as well as clicking on dialog boxes and providing expected responses (e.g., ‘accepting’ the EULA in an installer).

Intelligent monitoring technology brings ultimate resistance to evasive malware.
Intelligent Monitoring 

The core technology behind VMRay Dynamic File Analysis. Intelligent Monitoring allows VMRay to stay invisible to highly evasive malware as it runs solely in the hypervisor layer and does not need to modify even a single bit in the analysis environment. It is monitoring every interaction between the malware and the system, thus providing best-in-class detection rates of zero-day, targeted and advanced threats.

Intelligence Monitoring works much like the zoom lens on a camera as it automatically adjusts itself to the optimal monitoring granularity depending on the behavior exhibited by the sample. This resulting in noise-free analysis reports, distinguishing between true malware behavior and unrelated system activity, while delivering complete visibility into every interaction between the malware and the operating system.

Smart memory dumping ensures timely detection of malware
Smart Memory Dumping

Advanced triggers to accurately dump and store relevant memory buffers of analyzed malware in real time.

This includes timely detection of when exactly the dump should be taken based on malware behavior, defining what exactly should be captured to get relevant forensics and malware configs and more.

Memory dumps can later be submitted loaded in IDA with the help of the VMRay IDA plugin for further analysis.

Golden Images

Allows security teams to deploy analysis environment images that have been replicated from the customer’s real-world production environment. This enhances detection of targeted malware by revealing more precisely how a particular malware sample would affect users. (Note: This feature is only available with On-Premises deployments.)

Live Interaction

Allows users to manually interact with the sample during Dynamic File Analysis and Dynamic Web Analysis.

Machine Learning with VMRay Analyzer
Machine Learning

Machine learning is used to provide an additional layer of protection to further identify hard to detect phishing threats.

The ML engine processes the results generated by Dynamic Web Analysis to recognize new patterns and determine risk based on over a hundred different characteristics.

Non-intrusive TLS Visibility

Ability to decrypt TLS/SSL traffic in the VM without the use of a forged certificate, thus providing complete visibility into c2 traffic while remaining invisible to malware.

Post-processing is the phase where VMRay Platform turns the analysis and detection into a clear, concise and noise-free decision.


Post-processing is where the real magic happens. In this phase, VMRay Platform turnes the input of analysis into concise and noise-free actionable insights.

In a way, it's fair to say that the final decision is made at this phase. VMRay uses unique technologies to provide clear verdicts and noise-free reports for the teams and detailed logs for the tools.

VMRay Threat Identifiers (VTI) finalizes the verdicts by applying our cutting-edge scoring system.
VMRay Threat Identifiers (VTIs)

VMRay's proprietary detection rules, applied during each performed analysis, to detect and classify threats. Applies advanced heuristics to detect credential harvesting pages. 


Mapping of malicious characteristics of submitted samples to the industry-standard MITRE ATT&CK framework.

Automated IOCs Classification

Sandbox-generated Indicators of Compromise (IOCs) are an under-utilized source of threat intelligence, due to the difficulty of extracting actionable, trusted IOCs in an efficient way. 

VMRay Analyzer uses behavior signatures to automatically filter out noise and flag artifacts that exhibit unusual behavior as IOCs. IOCs produced by VMRay Analyzer can be used for automated threat hunting without any additional filtering. This also includes the aggregation of IOCs from multiple analysis reports.

Learn more

Keys to the Future of SOC Automation
VMRay Webinar Featuring Forrester