Announcing the Release of Hawk Eye Analysis Tool (Formerly known as Analyse It!)

1st Official Post
    • Official Post

    Analyse It! is scheduled for a rebrand. Before the rebranding commences, it will be known and referred to as Analyse It!

    https://hea-p.com

    Analyse It! User Guide

    Your comprehensive guide to analyzing suspicious websites and files.

    Table of Contents

    Introduction

    Welcome to Analyse It! This platform is designed to streamline the process of analyzing potentially malicious websites and files. It integrates with several leading threat intelligence APIs (VirusTotal, Hybrid Analysis, AbuseIPDB, Google Gemini) to provide comprehensive insights.

    Whether you're testing the effectiveness of security solutions, investigating suspicious links, or analyzing malware samples, Analyse It! provides a centralized dashboard to manage your workflow.

    Getting Started

    Launching the App

    When you first open the application, you'll see a welcome screen with an animated background. Click the "Let's Get Started" button to enter the main dashboard.

    Initial Setup: API Keys

    To unlock the full potential of Analyse It!, you'll need API keys for the integrated services. It's highly recommended to add these right away.

    1. Click the Menu icon (☰) in the top-left corner.
    2. Select Settings from the menu.
    3. Navigate to the API & Security tab.
    4. Enter your API keys for:
      • Gemini API Key: For AI-powered analysis and CADY assistant. Get one from Google AI Studio.
      • VirusTotal API Key: For URL scanning, file hash lookups, reputation checks. Requires a free VirusTotal account.
      • AbuseIPDB API Key: For IP address reputation checks. Requires a free AbuseIPDB account.
      • Hybrid Analysis API Key: For deeper file analysis (requires SHA256 hashes). Requires a free Hybrid Analysis account.
    5. API keys are stored in your browser's sessionStorage for security and are not persisted between sessions unless you use the State Management export/import feature.
    6. Consider setting up the Secure Mode with a Cloudflare Worker for enhanced privacy (see Settings section).

    While the app can function without API keys, features like scanning, AI analysis, and reputation checks will be unavailable.

    Interface Overview

    The main interface consists of several key areas:

    • Header: Displays the Menu button, the current Product Name (customizable in Settings), and context-specific action buttons (like "Scan URLs").
    • Menu (☰): Slides out from the left, allowing navigation between the main views (Web Test, File Test, IoC Manager), opening Settings, launching CADY, and changing themes.
    • Main Content Area: Displays the content for the currently selected view.
    • Interactive Background: A dynamic, animated background (can be disabled in Settings for performance).
    • Modals: Pop-up windows for detailed views (like URL testing, file analysis, settings, AI analysis).
    • Toasts: Temporary notification messages appearing at the bottom-center of the screen.

    Web Test View

    This is the default view, designed for testing web filtering effectiveness or analyzing lists of URLs.

    Adding URLs

    1. Open the Settings panel (Menu > Settings).
    2. Go to the Website Parsing tab.
    3. Paste your list of URLs (one per line) into the text area.
    4. Select the category for these URLs (Phishing or Malware).
    5. Click "Add URLs".

    Understanding the Dashboard

    • Stat Cards: At the top, you'll see key statistics: Total URLs, Tested URLs (Blocked + Missed), and Effectiveness %.
    • Calculate & Analyze: This button calculates the effectiveness score based on tested URLs and uses the Gemini API (if configured) to generate an AI commentary on the results.
    • Filter Controls: Buttons below the stats allow you to filter the displayed URLs by their status (All, Untested, Scanning, Scanned, Blocked, Missed, Dead).
    • URL Grid: Displays cards for each added URL, showing its type, URL (truncated), and current status badge.

    Manual Testing & Status Updates

    1. Click on any URL card in the grid.
    2. A modal window will appear showing the full URL.
    3. Click "Open in New Tab" to test the URL against your security product.
    4. After observing the result (blocked page, malicious content loaded, site unavailable), return to the modal.
    5. Click the appropriate button (Blocked, Missed, or Dead Link) to update the URL's status.
    6. The modal closes automatically.

    VirusTotal Scanning

    1. Ensure your VirusTotal API Key is added in Settings.
    2. Click the "Scan URLs" button in the header.
    3. The app will queue all URLs currently marked as 'Untested' and begin submitting them to VirusTotal (respecting API rate limits).
    4. The status badge on URL cards will update to 'Scanning...'.
    5. After a short delay (approx. 15-20 seconds per URL), the status will change to 'Scanned', and the number of malicious detections found by VT will appear in parentheses (e.g., "Scanned (5)").
    6. Clicking a 'Scanned' URL card will show details about which VT engines flagged it as malicious.
    7. You can configure the minimum number of VT detections required to automatically flag a URL as malicious in Settings > VirusTotal > URL Detection Threshold (this only affects the display, not the Blocked/Missed status).

    AI Analysis

    After manually testing some URLs (updating their status to Blocked/Missed/Dead), click the "Calculate & Analyze"button. This provides an effectiveness score and, if the Gemini API key is configured, an AI-generated summary of the test results.

    File Test View

    This view allows you to analyze files using their cryptographic hashes (MD5, SHA1, SHA256) or by uploading the file directly.

    Submitting Files

    You have two options:

    • By Hash: Paste an MD5, SHA1, or SHA256 hash into the input field and click the Search icon or press Enter.
    • By Upload:
      1. Drag and drop a file onto the designated drop zone.
      2. Alternatively, click the drop zone to browse and select a file.
      3. The file is hashed locally in your browser using the SHA-256 algorithm. The file content itself is not sent unless you explicitly upload it to VirusTotal/Hybrid Analysis (requires API keys).
      4. After hashing, the SHA256 hash automatically populates the input field.
      5. If API keys are configured, the app will attempt to upload the file to VirusTotal and/or Hybrid Analysis for scanning. Upload progress is shown briefly.
      6. Finally, the app performs a lookup using the calculated hash.

    Analysis Context (Sample Source)

    Before the analysis begins, you'll be prompted to specify the file's origin (Email, Untrusted Website, Trusted Website, Other/Unknown). This context helps the AI tailor its behavioral risk scoring ('Aggressive' vs. 'Standard' stance).

    Understanding Results

    Once the lookup is complete (using VT and/or HA APIs if keys are provided), a result card appears:

    • Displays basic file info (type, primary name, hash).
    • Shows the VirusTotal detection score (malicious engines / total engines).
    • Shows the Hybrid Analysis verdict (Malicious, Suspicious, Safe) if available.
    • Clicking this card opens the detailed File Analysis Modal.

    File Analysis Modal Deep Dive

    This modal provides a comprehensive view of the analyzed file across several tabs.

    Tabs Overview:

    • Threat Factor (OTS): (Requires VT data) Calculates an Overall Threat Score based on multiple factors: sample origin, timestamp anomalies, engine consensus (VT/HA), and AI behavioral scoring. Provides a quick risk assessment.
    • Summary: (Requires VT data) Shows basic file details (name, type, size, first seen) and hashes (MD5, SHA1, SHA256). Allows adding hashes to the IoC Manager. Displays the selected Analysis Stance (Aggressive/Standard).
    • Detections: (Requires VT data) Lists all engines that detected the file as malicious, along with their specific detection names. Includes the VT Interpretation Heuristic score and commentary if enabled in Settings.
    • Behaviour: (Requires VT data) Displays detailed sandbox behavioral data from VirusTotal, grouped by category (Commands, Network, Files Dropped/Opened/Written/Deleted, Registry Set/Deleted). You can add observed indicators (IPs, domains, hashes, paths, keys) directly to the IoC Manager. Also shows the AI Behavioural Threat Assessment score and verdict if enabled and calculated.
    • Hybrid Analysis: (Requires HA data) Shows the HA verdict, threat score, MITRE ATT&CK techniques observed by HA, and contacted hosts/domains. Allows checking reputation and adding IoCs.
    • AI Analysis: (Requires Gemini API Key & VT/HA data) Allows you to request an AI-generated analysis of the file based on the available VT/HA reports. You can choose the desired response length (Concise, Balanced, Expert).
    • ATT&CK Matrix: (Requires Gemini API Key & VT Behaviour data) Generates a MITRE ATT&CK matrix by mapping observed sandbox behaviours to specific tactics and techniques using AI. Hover over techniques for details and click to view them on the official MITRE website.

    Exporting Reports

    Click the Download icon in the modal header to export a summary of the analysis findings (including details from most tabs) as a PDF document.

    IoC Manager View

    This view acts as a central repository for Indicators of Compromise gathered during your analyses.

    Adding IoCs

    • Manually: Enter the IoC value (e.g., `evil.com`, `1.2.3.4`, a file hash), select its type (Domain, IP, Hash, URL, etc.), and click "Add".
    • From File Analysis: Use the '+' icon next to indicators in the File Analysis Modal (Summary, Behaviour, Hybrid Analysis tabs) to add them directly. The 'Source' column will show the SHA256 hash of the file from which the IoC originated.

    Managing IoCs

    • Viewing: The table displays the IoC value, type, source (manual or file hash), and the date added.
    • Checking Reputation: For IP addresses and Domains, click the shield icon (🛡️) to check their reputation using AbuseIPDB (for IPs) or VirusTotal (for Domains), provided the respective API keys are configured. Results appear in a tooltip.
    • Removing: Click the red 'X' icon to remove an IoC from the list.

    Exporting IoCs

    Use the buttons at the bottom ("Export as CSV", "Export as JSON") to download your collected IoCs for use in other security tools or reports.

    CADY AI Assistant

    CADY (Cyber Analysis & Defense AI) is your conversational AI partner, powered by Google Gemini.

    Accessing CADY

    1. Open the Menu (☰).
    2. Click "Talk to CADY".

    Using CADY

    • Context-Aware: If you open CADY while viewing a file analysis (File Test view with results loaded), CADY automatically receives the VT and HA reports as context.
    • Ask Questions: Type your questions about the current file analysis (e.g., "Summarize the malware's main goal", "What does the registry key modification signify?", "Generate detection rules for this file") into the input field and press Enter or click Send.
    • Response Length: Use the toggles (Short, Medium, Expert) to control the detail level of CADY's responses.
    • Requirements: CADY requires a valid Gemini API Key configured in Settings.

    Settings

    The Settings panel allows you to configure API keys, customize behavior, and manage application data.

    Tabs Overview:

    • Website Parsing:
      • Product Name: Customize the name displayed in the header and used in AI analysis prompts.
      • Parse & Add URLs: Add lists of URLs and categorize them.
      • Danger Zone: Clear all URLs currently loaded in the Web Test view (irreversible).
    • API & Security:
      • Enter API keys for Gemini, VirusTotal, AbuseIPDB, and Hybrid Analysis.
      • Secure Mode: Configure a Cloudflare Worker URL to proxy API calls, avoiding the need for the public CORS proxy and keeping API keys more secure (requires setting up the provided worker code in your Cloudflare account).
      • Public CORS Proxy: Provides a link to activate the `cors-anywhere` public proxy if not using Secure Mode (required for most API calls to function due to browser security restrictions).
    • VirusTotal:
      • URL Detection Threshold: Set the minimum VT detections needed to highlight a URL score in the modal.
      • Deduplicate Detections: (File Analysis) Hides similar detection names from lower-tier AV engines for clarity.
      • Enable Interpretation Heuristic: (File Analysis) Calculates and shows a weighted VT threat score and commentary.
    • AI Behaviour:
      • Enable AI Behaviour Scoring: (File Analysis) Automatically uses Gemini to analyze sandbox behavior and provide a risk score/verdict.
      • Default AI Analysis Level: Sets the default detail (Concise, Balanced, Expert) for AI analyses requested automatically or manually.
    • Performance:
      • Enable Background Animations: Toggle the interactive background animations on/off. Disabling may improve performance on less powerful devices.
    • State Management:
      • Export State: Saves your current settings (including API keys stored in sessionStorage) to a JSON file. Useful for backups or transferring settings.
      • Import State: Loads settings from a previously exported JSON file.

    Themes

    You can change the visual appearance of the application.

    1. Open the Menu (☰).
    2. At the bottom of the menu, under the "Themes" heading, click on the desired theme (Slate, Light, Cyberpunk).
    3. The interface will update instantly. Your theme preference is saved locally.

    Troubleshooting (CORS Proxy)

    Modern web browsers have security restrictions (CORS) that prevent web pages from directly calling APIs on different domains (like VirusTotal, Gemini, etc.).

    Solutions:

    1. Recommended: Secure Mode (Cloudflare Worker):
      • Go to Settings > API & Security.
      • Copy the provided Worker script.
      • Deploy it to your own Cloudflare account. Instructions are widely available on the Cloudflare website.
      • Paste your unique Worker URL (e.g., `https://my-worker.example.workers.dev`) into the "Cloudflare Worker URL" field in the settings.
      • Important: You must also add your API keys within the `API_KEYS` constant directly in the Cloudflare Worker code for this method to work securely. The keys entered in the app's settings panel are not used when a Worker URL is specified.
      • This method routes API calls through your own proxy, offering better privacy and reliability.
    2. Alternative: Public CORS Proxy:
      • Go to Settings > API & Security.
      • Click the "Activate Proxy" button under "Public CORS Proxy".
      • This opens the `cors-anywhere` demo page in a new tab. Click the button on that page to request temporary access for your browser.
      • Return to the Analyse It! tab. API calls should now work for your current browser session.
      • This method uses a free, public proxy which may have limitations or reliability issues. You might need to reactivate it periodically.

    If API calls (like VT scanning or AI analysis) fail with "Forbidden" or network errors, it's almost always a CORS issue. Ensure you have either configured Secure Mode correctly or activated the public proxy.

    © Analyse It! - Happy Analyzing!

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!

Register Yourself Login