Search Syntax

Operator reference for the corpus search box

← Back to analyzer

How queries work

A query is a list of whitespace-separated terms. Every term must match for a file to appear in the results. A term is either a bare hash (MD5, SHA-1, or SHA-256 hex) or a field:value filter. Wrap values that contain spaces in double quotes, e.g. app:"Microsoft Word 2019".

Operators

sig:RULE_ID
Files whose scan emitted this heuristic signature. See all heuristics for the rule list. Examples: sig:PDF_JAVASCRIPT, sig:OLE_VBA_AUTOEXEC. (Previously called tag:; renamed when analyst-applied tags became their own operator — old bookmarks of /#tag:RULE_ID are auto-translated.)
tag:NAME
Files an analyst has labelled with this tag (most commonly an APT actor name). Stored case-insensitively. Tags are letters, digits, underscore, hyphen, and dot only — max 64 characters. Examples: tag:APT30, tag:Lazarus, tag:FIN7-spinoff.
type:LABEL
Friendly file-type label: PDF, Office (OLE), Office (OOXML), RTF, Hangul (HWP), Microsoft Write, etc. Examples: type:PDF, type:"Office (OLE)".
app:VALUE
Substring match against the document-declared authoring application (e.g. Microsoft Word, Adobe Acrobat 11.0, iText). Case-insensitive. Examples: app:"Microsoft Word", app:iText.
url:VALUE
Match files by an embedded URL. Bare values match exactly — use * as a wildcard for substring, prefix, suffix, or multi-fragment matches. Case-insensitive. Needs at least 3 literal characters (wildcards don’t count). Examples: url:example.com (exact URL “example.com” only), url:*example.com* (any URL containing “example.com”), url:*.example.com/* (subdomain with any path), url:"example.com/path?id=". Wrap values containing spaces or shell-meaningful punctuation in double quotes.

Click-through: URLs in the results page and URL aggregate view are not hyperlinks — you won’t accidentally visit a malicious URL by clicking it. But the host and last path segment (filename) of each URL are dotted-underlined click targets. Click the host to find every sample referencing that host (url:*host*); click the filename to find samples linking to the same filename on any domain (url:*/filename). On the URL aggregate row, the rest of the URL still drills to samples containing the full URL.

verdict:VALUE
One of clean, suspicious, malicious.
created:DATE
Document-declared creation date. Accepts YYYY, YYYY-MM, YYYY-MM-DD, and ranges: >=DATE, <=DATE, DATE..DATE. A bare YYYY-MM matches any day in that month. Examples: created:2024, created:>=2023-01-01, created:2024-01..2024-06.
scanned:DATE
When the analyzer scanned the file. Same grammar as created:. Example: scanned:>=2026-05-01.
score:N
Aggregate risk score. The scorer sums severity weights across every heuristic that fired, so a sample with many CRITICAL detections can land well above 100 — the live corpus tops out near 1,000. Accepts an exact value, >=N, <=N, or N..M. Examples: score:>=60, score:500..1000.
size:N
File size in bytes. Suffixes K, M, and G are accepted (binary: 1M = 1,048,576 bytes). Examples: size:>=5M, size:100K..2M.
unknown:N auth only
Unknown-exploit score (0–100). Internal triage signal; only available when signed in. Examples: unknown:>=70, unknown:50..80.
nyx:N
Nyx ML classifier score, expressed as a 0–100 percentage (the underlying classifier emits a 0..1 probability; this operator rescales for grammar parity with score:). Only PDFs run through the classifier — rows without an ML result are excluded automatically. Examples: nyx:>=50, nyx:80..100.
hash:HEX
Explicit hash form (equivalent to a bare hex literal). MD5, SHA-1, or SHA-256. Example: hash:d41d8cd98f00b204e9800998ecf8427e.
sha:PREFIX
SHA-256 prefix match (4–64 hex characters). Example: sha:5bac28.

Examples

type:PDF sig:PDF_JAVASCRIPT score:>=40
  Every PDF whose scan emitted PDF_JAVASCRIPT and scored 40 or above.

type:"Office (OLE)" created:2024 verdict:malicious
  Legacy-format Office files declared as created in 2024 that the
  analyzer scored as malicious.

app:"Adobe Acrobat" sig:CVE_2018_4990
  Adobe-authored PDFs that triggered the CVE-2018-4990 heuristic.

sha:5bac28
  Any sample whose sha256 starts with 5bac28.

sig:PDF_JAVASCRIPT sig:PDF_EVAL type:PDF
  PDFs that fired both PDF_JAVASCRIPT and PDF_EVAL. Multiple sig:
  tokens AND together — useful for narrowing common rules.

tag:APT30 type:PDF
  PDFs an analyst has labelled with the APT30 actor tag.

url:*.example.com/* verdict:malicious
  Malicious files that embedded a URL on any subdomain of example.com.
  Multiple url: tokens AND together — useful for narrowing to
  a sample that references two specific hosts.

Result limits

Anonymous searches are capped at 100 matches per query; the response is flagged so the listing UI can show a “sign in to see all” hint. Authenticated searches return every match, paginated.

The unknown: operator is the only one that strictly requires authentication. All other operators work for anonymous visitors.

The page size defaults to 50 rows; clients can request up to 50 via the limit query parameter on /api/search.

Notes

Tag intersections that match more than 50,000 files are refused with an error — narrow the query with type:, app:, a date range, or a score range.

created: compares document-declared metadata, not the scan time. Rows whose document has no creation date are excluded.

size: compares the analyzed file's on-disk size in bytes. Multi-byte counts are binary: 1K = 1,024 and 1M = 1,048,576.

Free-text terms aren't supported. Every term must be a hash literal or a recognised field:value operator.