Files Explanation

The Extracted URLs lists, (2 files) for instance, indicates how many decodings or other files were created when trying to decode JavaScript.

If this column shows (1 files) it means that there were no decodings and that a static scanner would be just as effective at detecting content. However, if there are more than one file, a decoding likely occurred, and jsunpack can match against additional content. A malicious URL with only (1 files) is less likely to be malicious because attackers commonly hide their content when delivering exploits or other malicious content.

The Extracted URLs displays files grouped by URL, so the originally file that triggered the rule and all of the other files are all connected to another.

It is more common that the attacker will try to hide content and create 2 or more decodings. Jsunpack was originally designed to handle complicated cases of decoding where there were 5 stages of decoding, although such cases are rare, generally the more decoding levels (and therefore files), the more likely the attacker is trying to hide something of value.

Thanks for using jsunpack!