Back to File Analyzer APITry this endpoint in the playground →
Deep / Dynamic / AI / Full Analysis
POST
/v1/file/deepSubmit a file to the DFIR malware lab for advanced analysis. This endpoint supports four analysis pipelines — deep static, dynamic sandbox execution, AI-powered classification, and a full combined run. Analysis is asynchronous: the endpoint returns a SHA-256 and poll URL immediately, and results are retrieved via GET /v1/file/status/{sha256}.
Permission
file:analyze
Credits
15–60 per request
Plans
Starter, Professional, Enterprise
Max Size
50 MB
Analysis Types
| Type | Credits | Est. Time | Description |
|---|---|---|---|
| deep | 25 | ~5 minutes | In-depth static analysis on the malware lab backend. Extracts PE metadata, strings, import/export tables, packer detection, YARA rule matching, and entropy analysis. No execution. |
| dynamic | 35 | ~5 minutes | Executes the file in an isolated sandbox environment. Captures syscalls, network connections, file system changes, registry modifications, process creation, and behavioral indicators. |
| ai | 15 | ~5 minutes | AI-powered analysis that processes extracted strings, behavioral signals, and metadata to classify the sample, identify malware family, and describe capabilities in natural language. |
| full | 60 | ~10 minutes | Runs all three pipelines — deep static, dynamic sandbox, and AI analysis — and consolidates results into a unified report. Highest fidelity at highest cost. |
High priority (priority: "high") doubles the credit cost and is available on Enterprise plans only.
Request
Send the file as multipart/form-data. The options field is a JSON string appended as a separate form field.
| Field | Type | Required | Description |
|---|---|---|---|
| file | File | Yes | The file to analyze. Maximum size: 50 MB. All common binary and script formats accepted. |
| options | JSON string | No | JSON-encoded options object. Defaults to {"analysis_type":"deep","tags":[],"priority":"normal"}. |
| options.analysis_type | string | No | "deep" (default), "dynamic", "ai", or "full". Determines the pipeline and credit cost. |
| options.tags | string[] | No | Up to 10 tags for categorization (max 50 characters each). Useful for grouping samples by incident or campaign. |
| options.priority | string | No | "normal" (default) or "high". High priority doubles the credit cost and is available on Enterprise plans only. |
Response
{
"data": {
"sha256": "44d88612fea8a8f36de82e1278abb02f...",
"status": "queued",
"analysis_type": "dynamic",
"file_name": "sample.exe",
"file_size": 204800,
"message": "File submitted for deep analysis.",
"poll_url": "/v1/file/status/44d88612fea8a8f36de82e1278abb02f...",
"estimated_time_seconds": 300
},
"meta": {
"request_id": "req_a1b2c3d4-...",
"credits_used": 35,
"credits_remaining": 465,
"processing_time_ms": 1843
}
}| Field | Type | Description |
|---|---|---|
| data.sha256 | string | SHA-256 hash of the uploaded file — use this to poll status |
| data.status | string | "queued", "processing", or "complete" |
| data.analysis_type | string | The analysis type that was submitted |
| data.file_name | string | Original filename |
| data.file_size | number | File size in bytes |
| data.message | string | Human-readable status message |
| data.poll_url | string | Relative URL to poll for analysis results — pass to GET /v1/file/status/{sha256} |
| data.estimated_time_seconds | number | Estimated seconds until analysis completes (300 for deep/dynamic/ai, 600 for full) |
| meta.request_id | string | Unique request identifier for support and debugging |
| meta.credits_used | number | Credits consumed for this submission |
| meta.credits_remaining | number | Remaining credit balance after this request |
| meta.processing_time_ms | number | Server-side processing time in milliseconds |
Code Examples
cURL — Deep Analysis
curl -X POST https://api.dfir-lab.ch/v1/file/deep \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-F "file=@malware.exe" \
-F 'options={"analysis_type":"deep","tags":["incident-2026-04","ransomware"]}'cURL — Full Analysis
curl -X POST https://api.dfir-lab.ch/v1/file/deep \
-H "Authorization: Bearer sk-dfir-your-key-here" \
-F "file=@sample.dll" \
-F 'options={"analysis_type":"full"}'Python — Dynamic Analysis
import requests
import json
options = {
"analysis_type": "dynamic",
"tags": ["apt-campaign", "suspected-loader"],
"priority": "normal",
}
with open("sample.exe", "rb") as f:
response = requests.post(
"https://api.dfir-lab.ch/v1/file/deep",
headers={"Authorization": "Bearer sk-dfir-your-key-here"},
files={"file": ("sample.exe", f, "application/octet-stream")},
data={"options": json.dumps(options)},
)
data = response.json()
result = data["data"]
print(f"SHA-256: {result['sha256']}")
print(f"Status: {result['status']}")
print(f"Analysis type: {result['analysis_type']}")
print(f"Poll for results: {result['poll_url']}")
print(f"Estimated completion: {result['estimated_time_seconds']}s")
print(f"Credits used: {data['meta']['credits_used']}")Important Notes
- Analysis is asynchronous. The endpoint returns immediately with a
poll_url. Use GET /v1/file/status/{sha256} to poll untilstatusis"complete". - Credits are deducted at submission time. If the malware lab is temporarily unreachable after credit deduction, contact support with your
request_idfor a refund. - The
dynamicandfullpipelines execute files in an isolated environment. Do not submit files containing sensitive data. - High priority (
priority: "high") is available on Enterprise plans only and doubles the credit cost. - This endpoint requires the
file:analyzepermission on your API key and a Starter, Professional, or Enterprise plan.