Analysis object (malcat)

malcat: Analysis

The malcat object is a Analysis instance and the entry point of Malcat’s scripting interface. It contains the analysis results for a single file/project. While most of Malcat’s analysis is performed in C++, python bindings are available to the user via the malcat object. Using this object, you have access to all of the specialized analyses as well as to the raw file using the File object (malcat.file).

The Analysis object

class bindings.Analysis
architecture: bindings.FileType.Architecture

The main CPU architecture of the file (only set for programs).

category: bindings.FileType.Category

The category of the identified file type

files: List[bindings.VirtualFile]

The list of virtual files identified by the File parsers.

imagebase: int

The virtual address at which the file should be loaded

metadata: Dict[str, Dict[str, str]]

The file metadata, as extracted from the File parsers. This is what you see in the Summary view. Metadata are str->str associations sorted into categories (the first dictionnary keys).

type: str

The file type as a short string, e.g. “PE”

Access to analyses

file: bindings.File

A pointer to the File object (malcat.file).

entropy: bindings.Entropy

A pointer to the File entropy (malcat.entropy).

map: bindings.MappingAnnotation

A pointer to the Address mapping (

struct: bindings.FileStructure

A pointer to the File structures (malcat.struct).

asm: bindings.Asm

A pointer to the Disassembly (malcat.asm).

cfg: bindings.CFG

A pointer to the Control Flow Graph (malcat.cfg).

loops: bindings.Loops

A pointer to the Strongly Connected Components (malcat.loops).

fns: bindings.Functions

A pointer to the Functions (malcat.fns).

strings: bindings.Strings

A pointer to the Strings (malcat.strings).

xref: bindings.CrossReferences

A pointer to the Cross References (malcat.xref).

syms: bindings.Symbols

A pointer to the Symbols (malcat.syms).

sigs: bindings.Signatures

A pointer to the Yara signatures (malcat.sigs).

carved: bindings.SubFiles

A pointer to the Carved files (malcat.carved).

anomalies: bindings.Anomalies

A pointer to the Anomalies (malcat.anomalies).

Category enum

The bindings.Analysis.category attribute is an enum which can take the following values:

class bindings.FileType.Category

This enum describes the type/category of the analyzed file. I can has one of the following values:


No file type could be infered, i.e the file was rejected by all parsers


The file a an executable program (PE, ELF, NSIS script, etc.)


The file is an image


The file is a sound file format


The file is a document, e.g. an Excel stylesheet


The file is an archive, e.g. zip or rar


The file is a filesystem, e.g. a SquashFS container or a FAT32 image

CPU architectures enum

The bindings.Analysis.architecture attribute is an enum which can take the following values:

class bindings.FileType.Architecture

This enum describes the main CPU architecture that should be used to interpret the code portion of the file (if any). Note that some file types main contain code for more than one architecture, e.g. Visual Basic Pcode + x86.


Visual Basic Pcode


AutoIt tokens


Biff8 or Biff12 Excel stylsheet. These can contain bytcode formulas, thus the architecture.


Virtual files

class bindings.VirtualFile

A Virtual file that can be extracted from the current file’s file system using the current file parser.

property path: str

The virtual file’s absolute path. For an archive, this would be the file’s stored path for instance.

property size: int

The virtual file’s unpacked size. Note that this field is not accurate. For some file system, the real size of the file can only be computed after extraction. So take it as an approximation.

property filetype: str

The type of the virtual file as a short string, e.g. “PE”