Entropy, magic bytes and disguised files
A file has no will, but it has a character: the distribution of its bytes. Text, images, executables and encrypted data have different, recognisable statistics. Entropy measures that character in a single number — and like every single number, it says something true and invites you to conclude too much.
What entropy measures
Shannon entropy answers a precise question: how much surprise is there, on average, in each byte?
If a file contains nothing but the letter A, the next byte is predictable with certainty: zero surprise, zero entropy. If every byte is drawn at random from the 256 possible values, each byte is maximally unpredictable: entropy reaches 8 bits per byte, the theoretical ceiling.
Everything else lives between those extremes. English prose sits around 4–4.5 bits per byte: vowels abound, q is rare, spaces recur. An executable has repetitive structures. A JPEG, already compressed, is nearly indistinguishable from noise.
The single number lies by omission
A 100 MB text file with a 200 KB encrypted block buried inside has a low overall entropy: the anomaly drowns in the average.
That is why Probatio computes not one number but sixty-four, one per slice of the file. This is the entropy sparkline, and it answers the right question: not «is this file random?» but «where, inside this file, do the bytes turn random?»
The file says one thing, the bytes say another
A file's extension is a social convention: rename it and it changes. But nearly every format opens with a characteristic byte sequence, the magic number: %PDF for PDFs, PK for ZIPs, ÿØÿ for JPEGs.
Probatio reads those bytes, infers the real format, and compares it with the declared extension. An invoice.jpg beginning with PK is a ZIP in disguise. Not necessarily malicious — necessarily in need of explanation.
Polyglots
Subtler still: a file can be valid in two formats at once. A PDF that is also a ZIP, a GIF that is also a script. It works because many formats ignore surplus bytes: the PDF hunts for its structure, the ZIP hunts for its index at the tail, and the two never collide.
Probatio looks for signatures of other formats at offsets greater than zero — ZIP, PDF, ELF, PNG, JPEG, GIF, GZIP, RAR, 7Z — and flags them. A ZIP archive beginning halfway through an image is, at the very least, an unusual choice.
If it is an executable
For PE (Windows), ELF (Linux) and Mach-O (macOS), Probatio digs deeper: architecture, bitness, entry point, section list, imported libraries.
- Authenticode signature — if the PE is signed, the signature's presence is detected (a different thing from verifying it).
- imphash — the MD5 of the normalised import table. Two binaries compiled from the same source under different names keep the same imphash: it groups families. PE only: it is not computed for ELF or Mach-O.
- Packer — from section names it recognises UPX, ASPack, Themida, VMProtect, MPRESS, PECompact, Enigma and others.
An executable packed with UPX has very high entropy and recognisable sections. That makes it suspicious, not malicious: packing reduces size, and legitimate software has used it for thirty years.
YARA: hunting patterns, not anomalies
Where entropy says «the bytes are strange here», YARA says «exactly this is here». It is a rule language describing strings and binary sequences to search for inside files.
Probatio runs the rules through yara-x, the pure-Rust implementation, and downloads the rule set from an online endpoint. It does not use the native libyara library.
The two techniques are complementary: YARA finds what someone has already described; entropy flags what nobody has described yet.
Putting the indicators together
- Overall entropy — frame the file. High? Probably compressed or encrypted. No alarm yet.
- Sparkline — look for the discontinuity. An isolated spike in an ordered file is the most interesting thing in the whole analysis.
- Magic bytes — is the file what it claims to be?
- Polyglot — is there something else, further in?
- If it is an executable — packer, imphash, signature, sections.
- YARA — does it match something known?
- Open the hex viewer at the suspicious offset. None of the six preceding steps replaces looking.
The sentence never to write
«The file shows entropy 7.9, indicative of encrypted or malicious content.»
Entropy 7.9 is indicative of content with high information density. Every JPEG on your phone sits at 7.9. Every ZIP, every MP4, every PDF with images in it. The correct sentence establishes a contrast: «the file, declared as a text document, shows entropy 7.9 — a value incompatible with that format and typical of compressed or encrypted data».
The difference between those two sentences is not stylistic. The first is false. The second is an observation that holds, and it points to the next step: open the file and look.